NSX 604 Api

NSX API Guide
NSX 6.0.4 for vSphere
This document supports the version of each product listed and

supports all subsequent versions until the document is replaced
by a new edition.
EN-001372-05
NSX API Guide
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright 2012 - 2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
VMware, Inc.
Contents
AboutThisBook
19
1 OverviewofNSX 21
NSXCapabilities 22
LogicalSwitches 22
LogicalRouters 22
LogicalFirewall 22
LogicalVirtualPrivateNetworks(VPN)s 22
LogicalLoadBalancer 22
ServiceComposer 23
Extensibility 23
NSXComponents 23
NSXManager 23
NSXvSwitch 23
NSXController 23
NSXEdge 24
AnIntroductiontoRESTAPIforNSXUsers 24
HowRESTWorks 24
AbouttheRESTAPI 24
RESTfulWorkflowPatterns 25
ForMoreInformationAboutREST 25
UsingtheNSXRESTAPI 25
PortsRequiredforNSXRESTAPI 26
2 UserManagement 27
ConfiguringSSOonNSXManager 27
QuerySSODetails 28
QuerySSOConfigurationStatus 28
DeleteSSOConfiguration 28
UserManagement 28
GetInformationAboutaUser 28
EnableorDisableaUserAccount 29
RemoveRoleAssignment 29
RoleManagement 30
GetRoleforaUser 30
GetRoleforaNSXManagerUser 30
AddRoleandResourcesforaUser 31
ChangeUserRole 31
GetListofPossibleRoles 32
GetListofScopingObjects 32
DeleteUserRole 33
3 ManagingtheNSXManagerAppliance 35
UpgradingtheApplianceManager 35
UploadUpgradeBundle 35
QueryUpgradeInformation 35
BeginUpgrade 36
QueryUpgradeStatus 37
VMware, Inc.
vShield API Programming Guide
ConfiguringNSXManagerwithvCenterServer 37
ConfigurevCenterServerwithNSXManager 37
QueryConfigurationDetails 37
CertificateManagement 38
GenerateCSRCertificate 38
DownloadCSRCertificate 38
UploadCertificateChain 38
QueryCertificates 39
UploadKeystoreFile 39
ResourceManagement 39
QueryGlobalApplianceManagerInformation 39
QuerySummaryApplianceManagerInformation 40
QueryComponentInformation 40
RebootApplianceManager 41
QueryApplianceManagerCPU 41
QueryApplianceManagerUptime 42
QueryApplianceManagerMemory 42
QueryApplianceManagerStorage 42
WorkingwithNetworkSettings 42
QueryNetworkInformation 42
ConfigureDNSServers 43
DeleteDNSServers 43
WorkingwithTimeSettings 43
ConfigureTimeSettings 43
QueryTimeSettings 44
DeleteTimeSettings 44
WorkingwithLocaleSettings 44
ConfigureLocale 44
QueryLocale 44
WorkingwithSyslogServers 45
ConfigureSyslogServers 45
QuerySyslogServers 45
Retrievessyslogservers. 45
DeleteSyslogServers 45
Deletessyslogservers. 45
ComponentsManagement 46
QueryComponents 46
QuerySpecificComponent 46
QueryComponentDependencies 47
QuerySpecificComponentDependents 47
QueryComponentStatus 47
ToggleSpecificComponentStatus 48
WorkingwithBackupandRestore 48
ConfigureBackupSettings 48
ConfigureOnDemandBackup 49
QueryBackupSettings 49
DeleteBackupConfiguration 50
QueryAvailableBackups 50
RestoreData 50
WorkingwithTechSupportLogs 50
GenerateTechSupportLogs 50
DownloadTechSupportLogs 51
QueryingNSXManagerLogs 51
GetNSXManagerSystemEvents 51
GetNSXManagerAuditLogs 51
VMware, Inc.
Contents
WorkingwithSupportNotifications 51
QueryNotifications 51
DeleteallNotifications 52
AcknowledgeNotifications 52
4 GroupingObjects 53
WorkingwithSecurityGroups 53
CreateSecurityGroup 53
QuerySecurityGroups 55
QueryMembersforaScope 57
QuerySecurityGroupObjects 58
QuerySecurityGroupsthatcontainaVirtualMachine 58
ModifyaSecurityGroup 58
DeleteaSecurityGroup 58
WorkingwithTags 59
CreateSecurityTag 59
QuerySecurityTags 59
ApplyTagtoVirtualMachine 59
DetachTagfromVirtualMachine 60
DeleteTagfromVirtualMachine 60
WorkingwithIPsets 60
CreateanIPset 60
QueryIPsets 60
QueryDetailsofanIPset 61
ModifyanIPset 61
DeleteanIPset 61
WorkingwithMACsets 62
CreateaMACsetonaScope 62
ListMACsetsCreatedonaScope 62
GetDetailsofaMACset 62
ModifyanExistingMACset 62
DeleteaMACset 63
WorkingwithServices 63
ListServicesonaScope 63
AddServicetoaScope 63
GetDetailsofaService 64
ModifyServiceDetails 65
DeleteService 65
WorkingwithServiceGroups 66
AddServiceGroup 66
QueryServiceGroups 66
QueryDetailsofaServiceGroup 67
ModifyServiceGroupDetails 67
DeleteServiceGroupfromScope 68
WorkingwiththeMembersofaServiceGroup 68
QueryServiceGroupMembers 68
AddaMembertotheServiceGroup 69
DeleteaMemberfromtheServiceGroup 69
WorkingwithIPPools 69
AddanIPPool 69
QueryIPPoolDetails 70
ModifyanIPPool 70
AllocatingaNewIPAddress 71
AllocatingaSpecificIPAddress 71
QueryallIPPoolsonScope 72
QueryAllocatedIPAddresses 72
VMware, Inc.
ReleaseanIPAddress 73
DeleteanIPPool 73
QueryingObjectIDs 73
QueryDatacenterMOID 73
QueryDatacenterID 73
QueryHostID 74
QueryPortgroupID 74
5 InstallingNSXComponents 75
InstallingLicenses 75
WorkingwithNetworkVirtualizationComponents 76
InstallNetworkVirtualizationComponents 76
UpgradeNetworkVirtualizationComponents 76
DeleteNetworkVirtualizationComponents 77
WorkingwithVXLANforLogicalSwitches 77
WorkingwithControllers 78
AddController 78
QueryControllers 78
QueryControllerAdditionorDeletionDetails 79
QueryControllerTechSupportLogs 79
DeleteController 79
QueryClusterInformation 79
ModifyClusterConfiguration 79
AddControllerSyslogExporter 80
QueryControllerSyslogExporter 80
DeleteControllerSyslogExporter 80
BackupControllerData 81
WorkingwithSegmentIDs 81
AddanewSegmentIDRange 81
QueryallSegmentIDRanges 81
QueryaSpecificSegmentIDRange 82
UpdateaSegmentIDRange 82
DeleteaSegmentIDRange 82
ConfigureVXLAN 83
InstallVXLAN 83
DeleteVXLAN 84
DeleteVXLANwithvdsContext 84
WorkingwithNetworkScopes 84
CreateaNetworkScope 84
EditaNetworkScope 84
UpdateAttributesonaNetworkScope 85
QueryexistingNetworkScopes 85
QueryaSpecificNetworkScope 86
DeleteaNetworkScope 86
ResetCommunication 86
QueryFeaturesonCluster 86
QueryStatusofSpecificResources 87
QueryStatusofChildResources 88
QueryStatusofResourcesbyCriterion 89
WorkingwithServices 90
InstallSecurityFabric 91
ServiceDependency 91
DeployingaServicewithaDependency 92
IdentifyServiceDependency 92
6
VMware, Inc.
Contents
UninstallServiceDependency 92
QueryInstalledServices 92
QueryDetailsaboutaService 93
QueryClusters 93
UpgradeService 94
QueryAgentsonHost 94
QueryAgentInformation 95
QueryAgentsforDeployment 96
WorkingwithConflictingAgencies 97
QueryConflicts 97
RestoreConflictingAgencies 97
DeleteConflictingAgencies 98
DeleteDeploymentUnits 98
UninstallingServices 98
6 WorkingwithLogicalSwitches 101
PreparingforLogicalSwitches 102
ConfiguringSwitches 102
PrepareSwitch 102
QueryConfiguredSwitches 102
QueryConfiguredSwitchesonDatacenter 103
QuerySpecificSwitch 103
DeleteSwitch 103
WorkingwithSegmentIDs 104
AddanewSegmentIDRange 104
QueryallSegmentIDRanges 104
QueryaSpecificSegmentIDRange 105
UpdateaSegmentIDRange 105
DeleteaSegmentIDRange 105
WorkingwithMulticastAddressRanges 105
AddanewMulticastAddressRange 105
QueryallMulticastAddressRanges 106
GetaSpecificMulticastAddressRange 106
UpdateaMulticastAddressRange 107
DeleteaMulticastAddressRange 107
WorkingwithNetworkScopes 107
CreateaNetworkScope 107
EditaNetworkScope 107
UpdateAttributesonaNetworkScope 108
QueryexistingNetworkScopes 108
QueryaSpecificNetworkScope 109
DeleteaNetworkScope 109
WorkingwithVirtualizedNetworks 109
CreateaVXLANVirtualWire 109
QueryallVXLANVirtualWiresonaNetworkScope 110
QueryallVXLANVirtualWiresonallNetworkScopes 110
QueryaSpecificVXLANVirtualWire 111
ModifyControlPlaneMode 111
DeleteaVXLANVirtualWire 112
ManagingtheVXLANVirtualWireUDPPort 112
GetUDPPort 112
UpdateUDPPort 112
QueryingAllocatedResources 112
TestingMulticastGroupConnectivity 113
TestMulticastGroupConnectivityinaNetworkScope 113
TestMulticastGroupConnectivityinaVXLANVirtualWire 113
VMware, Inc.
PerformingPingTest
114
7 NSXEdgeLogicalRouterInstallationandManagement 115
InstallingaLogicalRouter 115
QueryaLogicalRouter 116
ModifyaRouter 118
DeletingaRouter 118
WorkingwithInterfaces 118
WorkingwithManagementInterfaces 118
ConfigureManagementInterfaces 118
QueryManagementInterfaces 119
WorkingwithallInterfaces 119
AddInterfaces 119
QueryInterfacesforaNSXEdgeRouter 120
DeleteInterfaces 121
DeleteallInterfaces 121
ManageanNSXEdgeRouterInterface 122
RetrieveInterfacewithSpecificIndex 122
ModifyanInterface 122
DeleteInterfaceConfiguration 122
ConfigureRoutes 123
QueryRoutes 125
DeleteRoutes 128
ManageGlobalRoutingConfiguration 128
SpecifyGlobalConfiguration 128
QueryGlobalRoute 128
ManageStaticRouting 129
ConfigureStaticRoutes 129
QueryStaticRoutes 129
DeleteStaticRoutes 130
ManageOSPFRoutesforNSXEdge 130
ConfigureOSPF 130
QueryOSPF 131
DeleteOSPF 132
ManageISISRoutesforNSXEdge 132
ConfigureISIS 132
QueryISIS 133
DeleteISIS 134
ManageBGPRoutesforNSXEdge 135
ConfigureBGP 135
QueryBGP 136
DeleteBGP 137
WorkingwithBridging 137
ConfigureaBridge 137
QueryBridgeConfiguration 138
QueryBGP 138
DeleteBridgeConfiguration 138
8 NSXEdgeServicesGatewayInstallation,Upgrade,andManagement 139
InstallingNSXEdgeServicesGateway 140
UpgradingvShieldEdge5.1.xor5.5toNSXEdge
QueryInstalledEdges 142
ModifyingNSXEdgeConfiguration 146
142
VMware, Inc.
Contents
DeletingNSXEdge 150
ConfiguringEdgeServicesinAsyncMode 150
QueryAsyncJobStatus 150
QueryallJobs 151
QueryactiveJobs 151
ConfiguringCertificates 151
WorkingwithCertificates 152
CreateCertificate 152
CreateCertificateorCertificateChainforCSR 152
QueryCertificates 152
DeleteCertificate 152
WorkingwithCertificateSigningRequests(CSRs) 153
CreateCSR 153
CreateSelfSignedCertificateforCSR 153
QueryCSRs 153
WorkingwithCertificateRevocationList(CRL) 154
CreateaCRL 154
QueryCRL 154
DeleteCRL 154
WorkingwithNSXEdgeFirewall 154
ConfigureFirewall 155
QueryFirewallConfiguration 156
AppendFirewallRules 158
AddaFirewallRuleAboveaSpecificRule 158
QuerySpecificRule 159
ModifyFirewallRule 159
DeleteaFirewallRule 160
DeleteFirewallConfiguration 160
ManageGlobalFirewallConfiguration 160
QueryGlobalFirewallConfiguration 160
ModifyGlobalConfiguration 161
ManageDefaultFirewallPolicy 161
QueryDefaultFirewallPolicy 161
ModifyDefaultFirewallPolicy 162
QueryFirewallStatistics 162
QueryFirewallStatisticsforRule 162
DisableFirewall 163
WorkingwithNAT 163
ConfigureNAT 163
QueryNATRulesforaEdgeEdge 164
DeleteallNATRules 165
AddaNATRuleaboveaSpecificRule 165
AppendNATRules 165
ModifyaNATRule 166
DeleteaNATRule 166
WorkingwithRouting 166
ConfigureRoutes 166
QueryRoutes 170
DeleteRoutes 170
ManageGlobalRoutingConfiguration 170
SpecifyGlobalConfiguration 170
QueryGlobalRoute 171
ManageStaticRouting 171
ConfigureStaticRoutes 171
VMware, Inc.
QueryStaticRoutes 172
DeleteStaticRoutes 172
ManageOSPFRoutesforNSXEdge 173
ConfigureOSPF 173
QueryOSPF 174
DeleteOSPF 175
ManageISISRoutesforNSXEdge 175
ConfigureISIS 175
QueryISIS 176
DeleteISIS 177
ManageBGPRoutesforNSXEdge 177
ConfigureBGP 177
QueryBGP 178
DeleteBGP 179
WorkingwithLoadBalancer 180
ConfigureLoadBalancer 180
QueryLoadBalancerConfiguration 186
DeleteLoadBalancerConfiguration 186
ManageApplicationprofiles 187
AppendApplicationProfile 187
ModifyApplicationProfile 187
QueryApplicationProfile 187
QueryallApplicationProfiles 188
DeleteApplicationProfile 188
DeleteallApplicationProfiles 189
ManageApplicationRules 189
AppendApplicationRule 189
ModifyApplicationRule 189
QueryApplicationRule 189
QueryallApplicationRules 189
DeleteApplicationRule 190
DeleteallApplicationRules 190
ManageLoadBalancerMonitors 190
AppendMonitor 190
ModifyMonitor 190
QueryMonitor 191
QueryallMonitors 191
DeleteMonitor 192
DeleteallMonitors 192
ManageVirtualServers 192
AppendVirtualServer 192
QueryaVirtualServer 193
QueryallVirtualServers 193
DeleteaVirtualServer 194
DeleteallVirtualServer 194
ManageBackendPools 194
AppendBackendPool 194
ModifyaBackendPool 195
QueryBackendPoolDetails 195
QueryallBackendPools 196
DeleteaBackendPool 198
DeleteallBackendPools 198
QueryStatistics 198
10
VMware, Inc.
Contents
UpdateLoadBalancerAccelerationMode 200
UpdateLoadBalancerMemberCondition 200
WorkingwithDHCP 200
ConfigureDHCP 201
QueryDHCPConfiguration 202
DeleteDHCPConfiguration 202
RetrieveDHCPLeaseInformation 203
AppendIPPooltoDHCPConfiguration 203
AppendStaticBindingtoDHCPConfiguration 203
DeleteDHCPPool 204
DeleteDHCPStaticBinding 204
WorkingwithHighAvailability(HA) 204
RetrieveHighAvailabilityConfiguration 205
DeleteHighAvailabilityConfiguration 205
WorkingwithSyslog 205
ConfigureSyslog 205
QuerySyslog 205
DeleteSyslog 206
ManagingSSLVPN 206
EnableorDisableSSLVPN 206
QuerySSLVPNDetails 206
ManageServerSettings 206
ApplyServerSettings 206
QueryServerSettings 207
ConfigurePrivateNetworks 207
AddPrivateNetwork 207
ModifyPrivateNetwork 208
QuerySpecificPrivateNetwork 208
DeletePrivateNetwork 209
DeleteallPrivateNetworks 209
ApplyAllPrivateNetworks 209
ConfigureWebResource 209
AddPortalWebResource 209
ModifyPortalWebResource 210
QueryPortalWebResource 210
QueryallWebResources 210
DeletePortalWebResource 211
DeletesallWebResources 211
ApplyAllWebResources 211
ConfigureUsers 211
AddUser 211
ModifyUser 212
QueryUserDetails 212
DeleteUser 213
DeleteallUsers 213
ApplyallUsers 213
ConfigureIPPool 213
AddIPPool 214
ModifyIPPool 214
QueryIPPool 214
QueryallIPPools 215
DeleteIPPool 215
DeletesallIPPools 215
ApplyallIPPools 215
VMware, Inc.
11
ConfigureNetworkExtensionClientParameters 216
ApplyClientConfiguration 216
GetClientConfiguration 216
ConfigureNetworkExtensionClientInstallationPackage
AddClientInstallationPackage 217
ModifyClientInstallationPackage 217
QueryClientInstallationPackage 218
QueryallClientInstallationPackages 218
DeleteClientInstallationPackage 219
DeleteallClientInstallationPackages 219
ApplyallInstallationPackages 219
ConfigurePortalLayouts 220
UploadPortalLogo 220
UploadPhatBanner 220
UploadClientConnectedIcon 220
UploadClientDisconnectedIcon 221
UploadClientDesktopIcon 221
UploadErrorConnectedIcon 221
ApplyLayoutConfiguration 221
QueryPortalLayout 221
ConfigureAuthenticationParameters 222
UploadRSAConfigFile 222
ApplyAuthenticationConfiguration 222
QueryAuthenticationConfiguration 223
ConfigureSSLVPNAdvancedConfiguration 224
Applyadvancedconfiguration 224
QueryAdvancedConfiguration 225
WorkingwithActiveClients 225
QueryActiveClients 225
DisconnectActiveClient 226
ManageLogonandLogoffscripts 226
UploadScript 226
ConfigureScriptParameters 226
ModifyScriptConfiguration 226
QueryScriptConfiguration 227
QueryAllScriptConfigurations 227
DeleteScriptConfiguration 227
DeleteAllScriptConfiguragtions 228
ApplyAllScriptConfigurations 228
ReconfigureSSLVPN 228
QuerySSLVPNConfiguration 231
DeleteSSLVPNConfiguration 234
QuerySSLVPNStatistics 234
WorkingwithL2VPN 235
ConfigureL2VPN 235
QueryL2VPN 237
QueryL2VPNStatistics 237
EnableL2VPN 238
DeleteL2VPN 238
WorkingwithIPSECVPN 238
RetrieveIPSecConfiguration 240
RetrieveIPSecStatistics 241
QueryTunnelTrafficStatistics 242
DeleteIPSecConfiguration 242
12
217
VMware, Inc.
Contents
ManaginganNSXEdge 243
ForceSyncEdge 243
RedeployEdge 243
UpdateDNSSettings 243
ModifyAESNISetting 243
ModifyEdgeApplianceCoreDumpSetting 244
ModifyFIPsSetting 244
ModifyLogSetting 244
QueryEdgeSummary 244
QueryEdgeStatus 246
QueryEdgeTechSupportLogs 248
ManageCLICredentialsandAccess 248
YoucanmodifytheCLIcredentialsandenableordisableSSHservicesforaEdgeEdge.
ModifyCLICredentials 248
ChangeCLIRemoteAccess 249
ManageAutoConfigurationSettings 249
ModifyAutoConfigurationSettings 249
QueryAutoConfigurationSettings 249
WorkingwithAppliances 249
QueryApplianceConfiguration 250
ModifyApplianceConfiguration 250
ChangeApplianceSize 251
ManageanAppliance 251
WorkingwithInterfaces 252
AddInterfaces 252
RetrieveInterfacesforaEdgeEdge 254
DeleteInterfaces 254
ManageaEdgeInterface 255
RetrieveInterfacewithSpecificIndex 255
ModifyanInterface 255
DeleteInterfaceConfiguration 256
QueryInterfaceStatistics 257
QueryStatisticsforallInterfaces 257
QueryStatisticsforUplinkInterfaces 257
QueryStatisticsforInternalInterfaces 258
QueryDashboardStatistics 258
248
9 DistributedFirewallManagement 261
ConfiguringDistributedFirewall 262
QueryFirewallConfiguration 263
ModifyFirewallConfiguration 263
DeleteFirewallConfiguration 265
WorkingwithFirewallSections 266
QueryFirewallSections 266
AddFirewallSection 267
ModifyFirewallSection 268
DeleteFirewallSection 270
WorkingwithFirewallRules 270
QueryFirewallRule 270
AddFirewallRule 271
ModifyFirewallRule 272
QueryStatus 273
QueryFirewallConfigurationStatus 273
QueryLayer3SectionStatus 274
QueryLayer2SectionStatus 275
VMware, Inc.
13
SynchronizingandEnablingFirewall 276
ForceSyncHost 276
ForceSyncCluster 276
EnableorDisableAPIsforaCluster 277
ImportingandExportingFirewallConfigurations 277
SaveaConfiguration 277
QueryallSavedConfigurations 278
QueryaSavedConfiguration 278
ModifyaSavedConfiguration 279
DeleteaSavedConfiguration 280
ExportaSavedConfiguration 280
ImportaSavedConfiguration 280
FirewallMigrationSwitch 281
ConfiguringFailSafeModeforDistributedFirewall 282
ConfigureFailSafeModeforvShieldAppFirewall 282
QueryFailSafeModeConfigurationforvShieldAppFirewall 282
WorkingwithSpoofGuard 283
CreateSpoofGuardPolicy 283
ModifySpoofGuardPolicy 283
QuerySpoofGuardPolicy 284
QueryallSpoofGuardPolicies 284
DeleteSpoofGuardPolicy 285
GettingFlowStatisticDetails 285
GetFlowStatistics 285
GetFlowMetaData 287
QueryFlowSummary 288
QueryFlowTable 289
QueryFlowDetails 289
QueryPagedFlowDetails 290
QueryFlowDetailsApplication 290
QueryPagedFlowDetailsApplication 290
FlowExclusion 291
ExcludeFlows 291
QueryExcludedFlows 292
ExcludingVirtualMachinesfromFirewallProtection 293
AddaVirtualMachinetotheExclusionList 293
GetVirtualMachineExclusionList 293
DeleteaVirtualMachinefromExclusionList 294
10 ServiceComposerManagement 295
WorkingwithSecurityPolicies 296
CreatingaSecurityPolicy 296
DescriptionofTags 298
QueryingSecurityPolicies 299
EditaSecurityPolicy 302
DeleteaSecurityPolicy 302
ExportaSecurityPolicyConfiguration 303
ImportaSecurityPolicyConfiguration 303
QuerySecurityActionsforaSecurityPolicy 304
WorkingwithSecurityActions 304
QueryVirtualMachinesforaSecurityAction 304
QuerySecurityActionsApplicableonaSecurityGroup 304
QuerySecurityActionApplicableonAVirtualMachine 309
QuerySecurityPoliciesMappedtoaSecurityGroup 309
QueryServiceProviderData 309
14
VMware, Inc.
Contents
QuerySecurityGroupEffectiveMembership 310
QuerySecurityGroupstowhichaVMBelongs 310
11 DataSecurityConfiguration 311
DataSecurityUserRoles 311
DefiningaDataSecurityPolicy 312
QueryRegulations 312
EnableaRegulation 312
QueryClassificationValue 313
ConfigureaCustomizedRegexasaClassificationValue 313
ViewtheListofExcludableAreas 313
ExcludeAreasfromPolicyInspection 314
SpecifySecurityGroupstobeScanned 315
QuerySecurityGroupsBeingScanned 315
ConfigureFileFilters 316
SavingandPublishingPolicies 317
QuerySavedPolicy 317
QueryPublishedPolicy 318
PublishtheUpdatedPolicy 318
DataSecurityScanning 318
Start,Pause,Resume,orStopaScanOperation 319
QueryStatusforaScanOperation 319
QueryingScanResults 319
GetListofVirtualMachinesBeingScanned 319
GetNumberofVirtualMachinesBeingScanned 320
GetSummaryInformationabouttheLastFiveScans 320
GetInformationforVirtualMachinesScannedDuringPreviousScan 321
RetrieveInformationAboutPreviousScanResults 321
GetXMLRepresentationofPolicyUsedforPreviousScan 321
QueryingViolationDetails 323
GetListofViolationCounts 323
GetListofViolatingFiles 324
GetListofViolatingFilesinCSVFormat 325
GetViolationsinEntireInventory 325
325
12 ActivityMonitoring 327
DataCollection 327
EnableDataCollectiononaSingleVirtualMachine 328
DisableDataCollectiononaSingleVirtualMachine 328
OverrideDataCollection 328
TurnOnKillSwitch 328
TurnOffKillSwitch 329
QueryPerVirtualMachineDataCollection 329
QueryResources 330
Prerequisites 330
ViewOutboundActivity 330
ParameterValues 330
ViewInboundActivity 331
ParameterValues 331
ViewInteractionbetweenInventoryContainers 332
ParameterValues 332
ViewOutboundADGroupActivity 332
ParameterValues 332
QueryUserDetails 333
VMware, Inc.
15
ViewOutboundActivity 333
ParameterValues 333
ViewInboundActivity 334
ParameterValues 334
ViewInteractionbetweenInventoryContainers 334
ParameterValues 335
ViewOutboundADGroupActivity 335
ParameterValues 335
ViewVirtualMachineActivityReport 336
ParameterValues 336
QueryDiscoveredUserDetails 337
WorkingwithDomains 338
RegisteraDomainwithNSXManager 338
ParameterValuesforRegister/UpdateDomain 339
QueryDomains 339
DeleteDomain 340
WorkingwithLDAPServers 340
WorkingwithEventLogServers 340
WorkingwithMappingLists 341
WorkingwithActivityMonitoringSyslogSupport 341
13 TaskFrameworkManagement 343
AboutTaskFramework 343
QueryJobInstancesforJobID 344
QueryLatestJobInstancesforJobID 345
BlockRESTThread 345
QueryJobInstancesbyCriterion 345
14 ObjectIDs 347
QueryDatacenterMOID 347
QueryDatacenterID 347
QueryHostID 347
QueryPortgroupID 348
QueryVMID 348
15 vShieldEndpointManagement 349
OverviewofSolutionRegistration 349
RegisteringaSolutionwithvShieldEndpointService 350
RegisteraVendor 350
RegisteraSolution 350
AltitudeofaSolution 350
IPAddressandPortforaSolution 350
ActivateaSolution 351
QueryingRegistrationStatusofvShieldEndpoint 351
GetVendorRegistration 351
GetSolutionRegistration 351
GetIPAddressofaSolution 352
GetActivationStatusofaSolution 352
QueryingActivatedSecurityVirtualMachinesforaSolution 352
QueryActivatedSecurityVirtualMachines 352
QueryActivationInformation 353
UnregisteringaSolutionwithvShieldEndpoint 353
UnregisteraVendor 353
UnregisteraSolution 353
16
VMware, Inc.
Contents
UnsetIPAddress 354
DeactivateaSolution 354
StatusCodesandErrorSchema
ReturnStatusCodes 354
ErrorSchema 355
354
16 DeprecatedAPIs 357
AppendixA:Schemas
359
FirewallSchemas 359
FirewallConfigurationSchema 359
FirewallSectionSchema 360
FirewallSectionsSchema 361
Deprecated:vShieldManagerGlobalConfigurationSchema 361
Deprecated:ESXHostPreparationandUninstallationSchema 366
Deprecated:vShieldAppSchemas 367
vShieldAppConfigurationSchema 367
vShieldAppFirewallSchema 367
vShieldAppSpoofGuardSchema 370
vShieldAppNamespaceSchema 372
ErrorMessageSchema 373
VMware, Inc.
17
18
VMware, Inc.
About This Book
Thismanual,theNSXforvSphereAPIGuide,describeshowtoinstall,configure,monitor,andmaintainthe
VMwareNSXsystembyusingRESTAPIrequests..
Intended Audience
ThismanualisintendedforanyonewhowantstouseRESTAPItoprogrammaticallycontrolNSXina
VMwarevSphereenvironment.Theinformationinthismanualiswrittenforexperienceddeveloperswhoare
familiarwithvirtualmachinetechnology,virtualizeddatacenteroperations,andRESTAPIs.Thismanualalso
assumesfamiliaritywithvShield.
VMware Technical Publications Glossary

VMwareTechnicalPublicationsprovidesaglossaryoftermsthatmightbeunfamiliartoyou.Fordefinitions
oftermsastheyareusedinVMwaretechnicaldocumentationgotohttp://www.vmware.com/support/pubs.
Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour
feedbacktodocfeedback@vmware.com.
NSX Documentation
ThefollowingdocumentscomprisethevShielddocumentationset:
NSXforvSphereAdministrationGuide
NSXforvSphereInstallationandUpgrade
NSXAPIProgrammingGuide,thisguide
Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion
ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.
Online and Telephone Support

Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and
registeryourproducts,gotohttp://www.vmware.com/support.
Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon
priority1issues.Gotohttp://www.vmware.com/support/phone_support.
VMware, Inc.
19
Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto
http://www.vmware.com/support/services.
VMware Professional Services

VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials
designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive
online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides
offeringsto helpyouassess,plan,build,andmanageyourvirtualenvironment.Toaccessinformationabout
educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
20
VMware, Inc.
Overview of NSX
VMwareNSXisasoftwarenetworkingandsecurityvirtualizationplatformthatdeliverstheoperational
modelofavirtualmachineforthenetwork.VirtualnetworksreproducetheLayer2Layer7networkmodel
insoftware,allowingcomplexmultitiernetworktopologiestobecreatedandprovisionedprogrammatically
inseconds.NSXalsoprovidesanewmodelfornetworksecurity.Securityprofilesaredistributedtoand
enforcedbyvirtualportsandmovewithvirtualmachines.
NSXsupportsVMwaressoftwaredefineddatacenterstrategy.Byextendingthevirtualizationcapabilitiesof
abstraction,poolingandautomationacrossalldatacenterresourcesandservices,thesoftwaredefineddata
centerarchitecturesimplifiesandspeedstheprovisioningandmanagementofcompute,storageand
networkingresourcesthroughpolicydrivenautomation.Byvirtualizingthenetwork,NSXdeliversanew
operationalmodelfornetworkingthatbreaksthroughcurrentphysicalnetworkbarriersandenablesdata
centeroperatorstoachievebetterspeedandagilitywithreducedcosts.
NSXincludesalibraryoflogicalnetworkingserviceslogicalswitches,logicalrouters,logicalfirewalls,logical
loadbalancers,logicalVPN,anddistributedsecurity.Youcancreatecustomcombinationsoftheseservicesin
isolatedsoftwarebasedvirtualnetworksthatsupportexistingapplicationswithoutmodification,ordeliver
uniquerequirementsfornewapplicationworkloads.Virtualnetworksareprogrammaticallyprovisionedand
managedindependentofnetworkinghardware.Thisdecouplingfromhardwareintroducesagility,speed,and
operationalefficiencythatcantransformdatacenteroperations.
ExamplesofNSXusecasesinclude:
Datacenterautomation
Speedupnetworkprovisioning
Simplifyserviceinsertionvirtualandphysical
StreamlineDMZchanges
SelfServiceEnterpriseIT
Rapidapplicationdeploymentwithautomatednetworkandserviceprovisioningforprivateclouds
andtest/devenvironments
Isolateddev,test,andproductionenvironmentsonthesamephysicalinfrastructure
Multitenantclouds
Automatenetworkprovisioningfortenantswithcustomizationandcompleteisolation
Maximizehardwaresharingacrosstenants
NSX can be configured through the vSphere Web Client, a command line interface (CLI), and REST API.
Thischapterincludesthefollowingtopics:
NSXCapabilitiesonpage 22
NSXComponentsonpage 23
VMware, Inc.
21
PortsRequiredforNSXRESTAPIonpage 26
AnIntroductiontoRESTAPIforNSXUsersonpage 24
NSX Capabilities
Logical Switches
Aclouddeploymentoravirtualdatacenterhasavarietyofapplicationsacrossmultipletenants.These
applicationsandtenantsrequireisolationfromeachotherforsecurity,faultisolation,andavoiding
overlappingIPaddressingissues.TheNSXlogicalswitchcreateslogicalbroadcastdomainsorsegmentsto
whichanapplicationortenantvirtualmachinecanbelogicallywired.Thisallowsforflexibilityandspeedof
deploymentwhilestillprovidingallthecharacteristicsofaphysicalnetworksbroadcastdomains(VLANs)
withoutphysicalLayer2sprawlorspanningtreeissues.Alogicalswitchisdistributedandcanspan
arbitrarilylargecomputeclusters.Thisallowsforvirtualmachinemobility(vMotion)withinthedatacenter
withoutlimitationsofthephysicalLayer2(VLAN)boundary.Thephysicalinfrastructuredoesnothaveto
dealwithMAC/FIBtablelimitssincethelogicalswitchcontainsthebroadcastdomaininsoftware.
Logical Routers
Dynamicroutingprovidesthenecessaryforwardinginformationbetweenlayer2broadcastdomains,thereby
allowingyoutodecreaselayer2broadcastdomainsandimprovenetworkefficiencyandscale.NSXextends
thisintelligencetowheretheworkloadsresidefordoingEastWestrouting.Thisallowsmoredirectvirtual
machinetovirtualmachinecommunicationwithoutthecostlyortimelyneedtoextendhops.Atthesame
time,NSXalsoprovidesNorthSouthconnectivity,therebyenablingtenantstoaccesspublicnetworks.
Logical Firewall
LogicalFirewallprovidessecuritymechanismsfordynamicvirtualdatacenters.TheDistributedFirewall
componentofLogicalFirewallallowsyoutosegmentvirtualdatacenterentitieslikevirtualmachinesbased
onVMnamesandattributes,useridentity,vCenterobjectslikedatacenters,andhostsaswellastraditional
networkingattributeslikeIPaddresses,VLANs,etc.TheEdgeFirewallcomponenthelpsyouachievekey
perimetersecurityneedssuchasbuildingDMZsbasedonIP/VLANconstructs,tenanttotenantisolationin
multitenantvirtualdatacenters,NetworkAddressTranslation(NAT),partner(extranet)VPNs,andUser
basedSSLVPNs.
TheFlowMonitoringfeaturedisplaysnetworkactivitybetweenvirtualmachinesattheapplicationprotocol
level.Youcanusethisinformationtoauditnetworktraffic,defineandrefinefirewallpolicies,andidentify
threatstoyournetwork.
Logical Virtual Private Networks (VPN)s

SSLVPNPlusallowsremoteuserstoaccessprivatecorporateapplications.IPSecVPNofferssitetosite
connectivitybetweenanNSXEdgeinstanceandremotesites.L2VPNallowsyoutoextendyourdatacenter
byallowingvirtualmachinestoretainnetworkconnectivityacrossgeographicalboundaries.
Logical Load Balancer

TheNSXEdgeloadbalancerenablesnetworktraffictofollowmultiplepathstoaspecificdestination.It
distributesincomingservicerequestsevenlyamongmultipleserversinsuchawaythattheloaddistribution
istransparenttousers.Loadbalancingthushelpsinachievingoptimalresourceutilization,maximizing
throughput,minimizingresponsetime,andavoidingoverload.NSXEdgeprovidesloadbalancingupto
Layer7.
22
VMware, Inc.
Chapter 1 Overview of NSX
Service Composer
ServiceComposerhelpsyouprovisionandassignnetworkandsecurityservicestoapplicationsinavirtual
infrastructure.Youmaptheseservicestoasecuritygroup,andtheservicesareappliedtothevirtualmachines
inthesecuritygroup.
DataSecurityprovidesvisibilityintosensitivedatastoredwithinyourorganizationsvirtualizedandcloud
environments.BasedontheviolationsreportedbyNSXDataSecurity,youcanensurethatsensitivedatais
adequatelyprotectedandassesscompliancewithregulationsaroundtheworld.
Extensibility
VMwarepartnerscanintegratetheirsolutionswiththeNSXplatform,whichenablescustomerstohavean
integratedexperienceacrossVMwareproductsandpartnersolutions.Datacenteroperatorscanprovision
complex,multitiervirtualnetworksinseconds,independentoftheunderlyingnetworktopologyor
components.
NSX Components
This section describes NSX components. NSX can be configured through the vSphere Web Client, a command line
interface (CLI), and REST API.
NSX Manager
TheNSXManageristhecentralizednetworkmanagementcomponentofNSX,andisinstalledasavirtual
applianceonanyESXhostinyourvCenterServerenvironment.Itprovidesanaggregatedsystemview.
OneNSXManagermapstoasinglevCenterServerenvironmentandmultipleNSXEdge,vShieldEndpoint,
andNSXDataSecurityinstances.
NSX vSwitch
NSXvSwitchisthesoftwarethatoperatesinserverhypervisorstoformasoftwareabstractionlayerbetween
serversandthephysicalnetwork.
Asthedemandsondatacenterscontinuetogrowandaccelerate,requirementsrelatedtospeedandaccessto
thedataitselfcontinuetogrowaswell.Inmostinfrastructures,virtualmachineaccessandmobilityusually
dependonphysicalnetworkinginfrastructureandthephysicalnetworkingenvironmentstheyresidein.This
canforcevirtualworkloadsintolessthanidealenvironmentsduetopotentiallayer2orlayerboundaries,such
asbeingtiedtospecificVLANs.
NSXvSwitchallowsyoutoplacethesevirtualworkloadsonanyavailableinfrastructureinthedatacenter
regardlessoftheunderlyingphysicalnetworkinfrastructure.Thisnotonlyallowsincreasedflexibilityand
mobility,butincreasedavailabilityandresilience.
NSX Controller
NSXcontrollerisanadvanceddistributedstatemanagementsystemthatcontrolsvirtualnetworksand
overlaytransporttunnels.
NSXcontrolleristhecentralcontrolpointforalllogicalswitcheswithinanetworkandmaintainsinformation
ofallvirtualmachines,hosts,logicalswitches,andVXLANs.Thecontrollersupportstwonewlogicalswitch
controlplanemodes,UnicastandHybrid.ThesemodesdecoupleNSXfromthephysicalnetwork.VXLANs
nolongerrequirethephysicalnetworktosupportmulticastinordertohandletheBroadcast,Unknown
unicast,andMulticast(BUM)trafficwithinalogicalswitch.TheunicastmodereplicatesalltheBUMtraffic
locallyonthehostandrequiresnophysicalnetworkconfiguration.Inthehybridmode,someoftheBUM
trafficreplicationisoffloadedtothefirsthopphysicalswitchtoachievebetterperformance.
VMware, Inc.
23
NSX Edge
NSXEdgeprovidesnetworkedgesecurityandgatewayservicestoisolateavirtualizednetwork.Youcan
installanNSXEdgeeitherasalogical(distributed)routerorasaservicesgateway.
TheNSXEdgelogical(distributed)routerprovidesEastWestdistributedroutingwithtenantIPaddressspace
anddatapathisolation.Virtualmachinesorworkloadsthatresideonthesamehostondifferentsubnetscan
communicatewithoneanotherwithouthavingtotraverseatraditionalroutinginterface.
TheNSXEdgegatewayconnectsisolated,stubnetworkstoshared(uplink)networksbyprovidingcommon
gatewayservicessuchasDHCP,VPN,NAT,dynamicrouting,andLoadBalancing.Commondeploymentsof
NSXEdgeincludeintheDMZ,VPNExtranets,andmultitenantCloudenvironmentswheretheNSXEdge
createsvirtualboundariesforeachtenant.
An Introduction to REST API for NSX Users

REST,anacronymforREpresentationalStateTransfer,isatermthathasbeenwidelyemployedtodescribean
architecturalstylecharacteristicofprogramsthatrelyontheinherentpropertiesofhypermediatocreateand
modifythestateofanobjectthatisaccessibleataURL.
How REST Works

OnceaURLofsuchanobjectisknowntoaclient,theclientcanuseanHTTPGETrequesttodiscoverthe
propertiesoftheobject.ThesepropertiesaretypicallycommunicatedinastructureddocumentwithanHTTP
ContentTypeofXMLthatprovidesarepresentationofthestateoftheobject.InaRESTfulworkflow,
documents(representationsofobjectstate)arepassedbackandforth(transferred)betweenaclientanda
servicewiththeexplicitassumptionthatneitherpartyneedknowanythingaboutanentityotherthanwhatis
presentedinasinglerequestorresponse.TheURLsatwhichthesedocumentsareavailableareoftensticky,
inthattheypersistbeyondthelifetimeoftherequestorresponsethatincludesthem.Theothercontentofthe
documentsisnominallyvaliduntiltheexpirationdatenotedintheHTTPExpiresheader.
IMPORTANTAllNSXRESTrequestsrequireauthentication.ThedefaultNSXManagerlogincredentialsare
useradminpassworddefault.Unlessyouchangedthese,youcanusethefollowingbasicauthentication,where
YWRtaW46ZGVmYXVsdA==istheBase64encodingofthedefaultcredentialsadmin:default.
Authorization: Basic YWRtaW46ZGVmYXVsdA==
About the REST API

RESTAPIsuseHTTPrequests(oftensentbyscriptorhighlevellanguage)asawayofmakingidempotent
remoteprocedurecallsthatcreate,modify,ordeleteobjectsdefinedbytheAPI.ARESTAPIisdefinedbya
collectionofXMLdocumentsthatrepresenttheobjectsonwhichtheAPIoperates.TheHTTPoperations
themselvesaregenerictoallHTTPclients.TowriteaRESTfulclient,youshouldunderstandHTTPprotocol
andthesemanticsofstandardHTMLmarkup.ForNSXRESTAPI,youmustknowthreethings:
ThesetofobjectsthattheAPIsupports,andwhattheyrepresent.Forexample,whatarevDCandOrg?
HowtheAPIrepresentstheseobjects.Forinstance,whatistheXMLschemafortheNSXEdgefirewall
ruleset?Whatdotheindividualelementsandattributesrepresent?
Howtheclientreferstoanobjectonwhichitwantstooperate.Forexample,whatisamanagedobjectID?
Toanswerthesequestions,youlookatNSXAPIresourceschemas.TheseschemasdefineanumberofXML
types,manyofwhichareextendedbyothertypes.TheXMLelementsdefinedintheseschemas,alongwith
theirattributesandcompositionrules(minimumandmaximumnumberofelementsorattributes,orthe
prescribedhierarchywithwhichelementscanbenested)representthedatastructuresofNSXobjects.Aclient
canreadanobjectbymakinganHTTPGETrequesttotheobjectsresourceURL.Aclientcanwrite(create
ormodify)anobjectwithanHTTPPUTorPOSTrequestthatincludesaneworchangedXMLbodydocument
fortheobject.UsuallyaclientcandeleteanobjectwithanHTTPDELETErequest.
24
VMware, Inc.
Chapter 1 Overview of NSX
Thisdocumentpresentsexamplerequestsandresponses,andprovidesreferenceinformationontheXML
schemasthatdefinetherequestandresponsebodies.
RESTful Workflow Patterns

AllRESTfulworkflowsfallintoapatternthatincludesonlytwofundamentaloperations,whichyourepeatin
thisorderforaslongasnecessary.
MakeanHTTPrequest(GET,PUT,POST,orDELETE).Thetargetofthisrequestiseitherawellknown
URL(suchasNSXManager)oralinkobtainedfromtheresponsetoapreviousrequest.Forexample,a
GETrequesttoanOrgURLreturnslinkstovDCobjectscontainedbytheOrg.
Examinetheresponse,whichcanbeanXMLdocumentoranHTTPresponsecode.Iftheresponseisan
XMLdocument,itmaycontainlinksorotherinformationaboutthestateofanobject.Iftheresponseis
anHTTPresponsecode,itindicateswhethertherequestsucceededorfailed,andmaybeaccompanied
byaURLthatpointstoalocationfromwhichadditionalinformationcanberetrieved.
For More Information About REST

ForacomprehensivediscussionofRESTfrombothclientandserverperspectives,seeRESTfulWebServicesby
LeonardRichardsonandSamRuby,published2007byOReillyMedia.
TherearealsomanysourcesofinformationaboutRESTontheWeb,including:
http://www.infoq.com/articles/restintroduction
http://www.infoq.com/articles/subbuallamarajurest
http://www.stucharlton.com/blog/archives/000141.html
Using the NSX REST API

YouhaveseveralchoicesforprogrammingtheNSXRESTAPI:usingFirefox,Chrome,orcURL.TomakeXML
responsesmorelegible,youcancopyandpastethemintoanXMLfriendlyeditorsuchasxmlcopyeditoror
pspad.
To use the REST API in Firefox
1
LocatetheRESTClientMozillaaddon,andaddittoFirefox.
ClickTools>RESTClienttostarttheaddon.
ClickLoginandentertheNSXlogincredentials,whichthenappearencodedintheRequestHeader.
SelectamethodsuchasGET,POST,orPUT,andtypetheURLofaRESTAPI.Youmightbeaskedtoaccept
orignorethelackofSSLcertificate.ClickSend.
ResponseHeader,ResponseBody,andRenderedHTMLappearinthebottomwindow.
To use the REST API in Chrome

1
SearchtheWebtofindtheSimpleRESTClient,andaddittoChrome.
Clickitsglobelikeicontostartitinatab.
TheSimpleRESTClientprovidesnocertificatecheckinginterface,souseanotherChrometabtoaccept
orignorethelackofSSLcertificate.
TypetheURLofaRESTAPI,andselectamethodsuchasGET,POST,orPUT.
IntheHeadersfield,typethebasicauthorizationline,asintheImportantnoteabove.ClickSend.
Status,Headers,andDataappearintheResponsewindow.
VMware, Inc.
25
To use the REST API in curl

1
Installcurlifnotalreadyinstalled.
InfrontoftheRESTURL,thekoptionavoidscertificatechecking,andtheuoptionspecifiescredentials.
curl -k -u admin:default https://<vsm-ip>/api/2.0/services/usermgmt/user/admin
Ports Required for NSX REST API

TheNSXManagerrequiresport443/TCPforRESTAPIrequests.
26
VMware, Inc.
User Management
Inmanyorganizations,networkingandsecurityoperationsarehandledbydifferentteamsormembers.Such
organizationsmayrequireawaytolimitcertainoperationstospecificusers.Thistopicdescribestheoptions
providedbyNSXtoconfiguresuchaccesscontrol.NSXalsosupportsSingleSignOn(SSO),whichenables
NSXtoauthenticateusersfromotheridentityservicessuchasActiveDirectory,NIS,andLDAP.
UsermanagementinthevSphereWebClientisseparatefromusermanagementintheCLIofanyNSX
component.
Thechapterincludesthefollowingtopics:
ConfiguringSSOonNSXManageronpage 27
UserManagementonpage 28
UserManagementonpage 28
RoleManagementonpage 30
IMPORTANTAllNSXRESTrequestsrequireauthentication.SeeUsingtheNSXRESTAPIonpage 25for
detailsaboutbasicauthorization.
Configuring SSO on NSX Manager

Integratingthesinglesignon(SSO)servicewithNSXimprovesthesecurityofuserauthenticationforvCenter
usersandenablesNSXtoauthenticateusersfromotheridentityservicessuchasAD,NIS,andLDAP.
WithSSO,NSXsupportsSecurityAssertionMarkupLanguage(SAML)tokensfromatrustedsourceto
authenticateRESTAPIcalls.NSXManagercanalsoacquireauthenticationSAMLtokensforusewithother
VMwaresolutions.
Example 2-1. Configure SSO
Request:
POST https://<nsxmgr-ip>/api/2.0/services/ssoconfig
RequestBody:
<ssoconfig>
<ssoLookupServiceUrl></ssoLookupServiceUrl>
<ssoAdminUsername></ssoAdminUsername>
<ssoAdminUserpassword></ssoAdminUserpassword>
</ssoConfig>
VMware, Inc.
27
Query SSO Details

Example 2-2. Get SSO details
Request:
GET https://<nsxmgr-ip>/api/2.0/services/ssoconfig
ResponseBody:
<ssoConfig>
<vsmSolutionName></vsmSolutionName>
<ssoLookupServiceUrl></ssoLookupServiceUrl>
<ssoAdminUsername></ssoAdminUsername>
</ssoConfig>
Query SSO Configuration Status

Example 2-3. Get SSO configuration status
Request:
GET https://<nsxmgr-ip>/api/2.0/services/ssoconfig/status
ResponseBody:
<boolean></boolean>
Delete SSO Configuration

Example 2-4. Delete SSO configuration
Request:
DELETE https://<nsxmgr-ip>/api/2.0/services/ssoconfig/
User Management
TheauthenticationandauthorizationAPIsincludemethodstomanageusersandroles.
Get Information About a User

Youcanretrieveinformationaboutauser.
Example 2-5. Get information about a user
Request:
GET https://<nsxmgr-ip>/api/2.0/services/usermgmt/user/<userId>
RequestBody:
<userInfo>
<objectId></objectId>
<type>
<typeName></typeName>
</type>
<name></name>
<revision></revision>
<objectTypeName></objectTypeName>
<userId></userId>
<fullname></fullname>
28
VMware, Inc.
Chapter 2 User Management
<email></email>
<isLocal></isLocal>
<isEnabled></isEnabled>
<isGroup></isGroup>
<hasGlobalObjectAccess></hasGlobalObjectAccess>
<accessControlEntry>
<role></role>
<resource>
<type>
</type>
<name></name>
<scope>
<id></id>
<name></name>
</scope>
</resource>
...
</accessControlEntry>
</userInfo>
Userinformationincludesusername,fullname,emailaddress,whetherlocalornot,whetherenabled,
resourceobjects,roles,andscope.
Enable or Disable a User Account

Youcandisableorenableauseraccount,eitherlocaluserorvCenteruser.Whenauseraccountiscreated,the
accountisenabledbydefault.
Example 2-6. Enable or disable a user account
Request:
PUT https://<nsxmgr-ip>/api/2.0/services/usermgmt/user/<userId>/enablestate/<value>
The<value>canbe0(zero)todisabletheaccount,or1(one)toenabletheaccount.
ThisAPIreturns204NoContentifsuccessful.
Remove Role Assignment

ThefirstAPIremovestheNSXroleassignmentforavCenteruser,withoutaffectingthevCenteraccount.The
secondAPIremovesavCenterusersroles.
Example 2-7. Remove role assignment
Request:
DELETE https://<nsxmgr-ip>/api/2.0/services/usermgmt/user/<userId>
Example 2-8. Delete a user role

Request:
DELETE https://<nsxmgr-ip>/api/2.0/services/usermgmt/role/<userId>
BothAPIsreturn204NoContentifsuccessful.7
VMware, Inc.
29
Role Management
Whenassigningorretrievingtheroleforauser,youcannotuseabackslash(\)intheusername(userID
parameter).InsteadofspecifyingDomain\user1astheusername,sayuser1@Domain.
Get Role for a User

Youcanretrieveinformationabouttheroleassignedtothisuser.
Example 2-9. Get user role
Request:
GET https://<nsxmgr-ip>/api/2.0/services/usermgmt/role/<userId>
RequestBody:
<?xml version="1.0" encoding="UTF-8"?>
<role></role>
<resource>
<type>
</type>
<name></name>
<scope>
<id></id>
<name></name>
</scope>
</resource>
<resource>...</resource>
...
...
Possiblerolesaresuper_user,vshield_admin,enterprise_admin,security_admin,andauditor.
Get Role for a NSX Manager User

YoucanretrieveinformationaboutuserswhohavebeenassignedaNSXManagerrole(localusersaswellas
vCenteruserswiththeNSXManagerrole).
Example 2-10. Get user role
Request:
GET https://<nsxmgr-ip>/api/2.0/services/usermgmt/users/vsm
ResponseBody:
<users>
<userInfo>
<type>
</type><name></name>
<userId></userId>
<fullname></fullname>
<email></email>
30
VMware, Inc.
<isLocal></isLocal>
<isGroup>false</isGroup>
<hasGlobalObjectAccess></hasGlobalObjectAccess>
<role></role>
<resource>
<type>
</type>
<name></name>
<scope>
<id>group-d1</id>
<name></name>
</scope>
</resource>
</userInfo>
<userInfo>
...
</userInfo>
</users>
Add Role and Resources for a User

Youcanaddroleandaccessibleresourcesforthespecifieduser.ItaffectsonlyvCenterusers,notlocalusers.
Youcannotuseabackslash(\)intheusername(userIDparameter).InsteadofspecifyingDomain\user1asthe
username,sayuser1@Domain.
SetisGroup=truetoassignaroletoagroupandisGroup=falsetoassignaroletoauser.
Example 2-11. Update user role
RequestHeader:
POST https://<nsxmgr-ip>/api/2.0/usermgmt/role/userId??isGroup=true|false
RequestBody:
<role>new_role</role>
<resource>
<resourceId>resource-num</resourceId>
...
</resource>
ThisAPIreturns204NoContentifsuccessful.
Change User Role

Youcanupdatetheroleassignmentforagivenuser.TheAPIreturnsanoutputrepresentationspecifyinga
new<accessControlEntry>fortheuser.
Example 2-12. Change user role
RequestHeader:
VMware, Inc.
31
PUT https://<nsxmgr-ip>/api/2.0/services/usermgmt/role/<userId>
RequestBody:
<role>new_role</role>
<resource>
<resourceId>resource-num</resourceId>
...
</resource>
Get List of Possible Roles

YoucanretrievethepossiblerolesinNSXManager.
Example 2-13. Get possible roles
Request:
GET https://<nsxmgr-ip>/api/2.0/services/usermgmt/roles
ResponseBody:
<list>
<string></string>
<string></string>
...
</list>
Get List of Scoping Objects

Youcanretrievealistofobjectsthatcanbeusedtodefineausersaccessscope.
Example 2-14. Get scoping objects
Request:
GET https://<nsxmgr-ip>/api/2.0/services/usermgmt/scopingobjects
ResponseBody:
<scopingObjects>
<object>
<type>
</type>
<name></name>
<scope>
<id></id>
<name></name>
</scope>
</object>
<object>
<type>
</type>
<name></name>
32
VMware, Inc.
<scope>
<id></id>
<name></name>
</scope>
</object>
...
...
</scopingObjects>
ThescopingobjectsareusuallymanagedobjectreferencesorvCenterServernamesofdatacentersandfolders.
Delete User Role

YoucandeletetheroleassignmentforthespecifiedvCenteruser.Oncethisroleisdeleted,theuserisremoved
fromNSXManager.
Youcannotdeletetheroleforalocaluser.
Example 2-15. Delete role
Request:
DELETE https://<nsxmgr-ip>/api/2.0/usermgmt/role/<user Id>
VMware, Inc.
33
34
VMware, Inc.
Managing the NSX Manager

Appliance
Withtheappliancemanagementtool,youcanmanage:
Systemconfigurationslikenetworkconfiguration,syslog,timesettings,andcertificatemanagementetc.
ComponentsofappliancesuchasNSXManager,Postgres,SSHcomponent,Rabbitmqserviceetc.
Overallsupportrelatedfeaturessuchastechsupportlogs,backuprestore,status,andsummaryreports
ofappliancehealth.
UpgradingtheApplianceManageronpage 35
ConfiguringNSXManagerwithvCenterServeronpage 37
CertificateManagementonpage 38
ResourceManagementonpage 39
ComponentsManagementonpage 46
WorkingwithBackupandRestoreonpage 48
WorkingwithTechSupportLogsonpage 50
WorkingwithSupportNotificationsonpage 51
Upgrading the Appliance Manager

YoucanupgradeNSXManagertoalaterversion.
Upload Upgrade Bundle

Example 3-1. Upload upgrade bundle
Request:
POST https://<nsxmgr-ip>/api/1.0/appliance-management/upgrade/uploadbundle/<component-id>
Query Upgrade Information

Aftertheupgradebundleisuploaded,youcanqueryupgradedetailssuchaspreupgradevalidationwarning
orerrormessagesalongwithpreupgradequestions.
VMware, Inc.
35
Example 3-2. Query upgrade information

Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/upgrade/uploadbundle/<component-id>
ResponseBody:
<upgradeInformation>
<fromVersion></fromVersion>
<toVersion></toVersion>
<upgradeBundleDescription></upgradeBundleDescription>
<preUpgradeQuestionsAnswers>
<preUpgradeQuestionAnswer>
<questionId></questionId>
<question></question>
<questionAnserType></questionAnserType>
</preUpgradeQuestionAnswer>
....
</preUpgradeQuestionsAnswers>
<upgradeStepsDto>
<step>
<stepId></stepId>
<stepLabel></stepLabel>
<description></description>
</step>
...
<step>
<stepId></stepId>
</step>
</upgradeStepsDto>
<warningMessages></warningMessages>
</upgradeInformation>
Begin Upgrade
Startsupgradeprocess.
Example 3-3. Start upgrade
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/upgrade/start/<component-id>
ResponseBody:
<preUpgradeQuestionsAnswers>
<answer></answer>
...
</preUpgradeQuestionsAnswers>
36
VMware, Inc.
Chapter 3 Managing the NSX Manager Appliance
Query Upgrade Status

Retrievesupgradestatus.
Example 3-4. Query upgrade status
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/status/<component-id>
ResponseBody:
<upgradeStatus>
<stepStatus>
<upgradeStep>
<stepId></stepId>
</upgradeStep>
<status></status>
</stepStatus>
<status></status>
<existingBundleFileName></existingBundleFileName>
</upgradeStatus>
Configuring NSX Manager with vCenter Server

YoucansynchronizeNSXManagerwithavCenterServer,whichenablestheNetworkingandSecuritytabin
thevCenterWebClienttodisplayyourVMwareInfrastructureinventory.
Configure vCenter Server with NSX Manager

Example 3-5. Synchronize NSX Manager with vCenter server
Request:
PUT https://<nsxmgr-ip>/api/2.0/services/vcconfig
RequestBody:
<vcInfo>
<ipAddress></ipAddress>
<userName></userName>
<password></password>
<certificateThumbprint></certificateThumbprint>
<assignRoleToUser></assignRoleToUser>
<pluginDownloadServer></pluginDownloadServer>
<pluginDownloadPort></pluginDownloadPort>
</vcInfo>
Query Configuration Details

Example 3-6. Get vCenter Server configuration details on NSX Manager
Request:
GET https://<nsxmgr-ip>/api/2.0/services/vcconfig
ResponseBody:
<vcInfo>
<ipAddress></ipAddress>
<userName></userName>
<certificateThumbprint></certificateThumbprint>
VMware, Inc.
37
<assignRoleToUser></assignRoleToUser>
<vcInventoryLastUpdateTime></vcInventoryLastUpdateTime>
</vcInfo>
Example 3-7. Get default vCenter Server connection status

Request:
GET https://<nsxmgr-ip>/api/2.0/services/vcconfig/status
ResponseBody:
<vcConfigStatus>
<connected></connected>
<lastInventorySyncTime></lastInventorySyncTime>
</vcConfigStatus>
Certificate Management
Generate CSR Certificate
GeneratesCSR.Responseheadercontainscreatedfilelocation.
Example 3-8. Generate CSR
Request:
PUT https://<nsxmgr-ip>/api/1.0/appliance-management/certificatemanager/csr/nsx
RequestBody:
<csr>
<algorithm></algorithm>
<keySize></keySize>
<subjectDto>
<commonName></commonName>
<organizationUnit></organizationUnit>
<organizationName></organizationName>
<localityName></localityName>
<stateName></stateName>
<countryCode></countryCode>
</subjectDto>
</csr>
Download CSR Certificate

DownloadsgeneratedCSRfromappliance.
Example 3-9. Download CSR
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/certificatemanager/csr/nsx
Upload Certificate Chain

InputiscertificatechainfilewhichisaPEMencodedchainofcertificatesreceivedfromtheCAaftersigning
aCSR.
38
VMware, Inc.
Example 3-10. Upload certificate chain

Request:
PUT https://<nsxmgr-ip>/api/1.0/appliance-management/certificatemanager/uploadchain/nsx
Query Certificates
Retrievescertificates.
Example 3-11. Query certificates
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/certificatemanager/certificates/nsx
ResponseBody:
<x509Certificates>
<x509certificate>
<subjectCn></subjectCn>
<issuerCn></issuerCn>
<version></version>
<serialNumber></serialNumber>
<signatureAlgo></signatureAlgo>
<signature></signature>
<notBefore></notBefore>
<notAfter></notAfter>
<issuer></issuer>
<subject></subject>
<publicKeyAlgo></publicKeyAlgo>
<publicKeyLength></publicKeyLength>
<rsaPublicKeyModulus></rsaPublicKeyModulus>
<rsaPublicKeyExponent></rsaPublicKeyExponent>
<sha1Hash></sha1Hash>
<md5Hash></md5Hash>
<isCa></isCa>
<isValid></isValid>
</x509certificate>
....
</x509Certificates>
Upload Keystore File

InputisPKCS#12formattedNSXfilealongwithpassword.
Example 3-12. Upload file
Request:
POST https://<nsxmgr-ip>/api/1.0/appliance-management/certificatemanager/pkcs12keystore/nsx?password="123"
Resource Management
Query Global Appliance Manager Information
Retrievesglobalinformationcontainingversioninformationaswellascurrentloggedinuser.
Example 3-13. Query global information
Request:
VMware, Inc.
39
GET https://<nsxmgr-ip>/api/1.0/appliance-management/global/info
ResponseBody
<globalInfo>
<currentLoggedInUser>Joe</currentLoggedInUser>
<versionInfo>
<majorVersion>6</majorVersion>
<minorVersion>0</minorVersion>
<patchVersion>0</patchVersion>
<buildNumber>1300000000</buildNumber>
</versionInfo>
</globalInfo>
Query Summary Appliance Manager Information

Retrievessystemsummaryinformationsuchasaddress,dnsname,version,CPU,memory,andstorage.
Example 3-14. Query summary
Request:
GET https://<nsx-ip>/api/1.0/appliance-management/summary/system
ResponseBody:
<systemSummary>
<ipv4Address></ipv4Address>
<dnsName></dnsName>
<applianceName></applianceName>
<versionInfo>
<majorVersion></majorVersion>
<minorVersion></minorVersion>
<patchVersion></patchVersion>
<buildNumber></buildNumber>
</versionInfo>
<uptime></uptime>
<cpuInfoDto>
<totalNoOfCPUs></totalNoOfCPUs>
<capacity></capacity>
<usedCapacity></usedCapacity>
<freeCapacity></freeCapacity>
<usedPercentage></usedPercentage>
</cpuInfoDto>
<memInfoDto>
<totalMemory></totalMemory>
<usedMemory></usedMemory>
<freeMemory></freeMemory>
</memInfoDto>
<storageInfoDto>
<totalStorage></totalStorage>
<usedStorage></usedStorage>
<freeStorage></freeStorage>
</storageInfoDto>
<currentSystemDate></currentSystemDate>
</systemSummary>
Query Component Information

Retrievessummaryofallavailablecomponentsavailableandtheirstatusinformation.
40
VMware, Inc.
Example 3-15. Query global information

Request:
GET https://<nsx-ip>/api/1.0/appliance-management/summary/components
ResponseBody
<componentsSummary>
<componentsByGroup class="tree-map">
<entry>
<string></string>
<components>
<component>
<componentId></componentId>
<name></name>
<status></status>
<enabled></enabled>
<showTechSupportLogs></showTechSupportLogs>
<usedBy>
<string></string>
</usedBy>
<componentGroup></componentGroup>
</component>
<component>
...
</component>
</components>
</entry>
<entry>
...
</entry>
</componentsByGroup>
</componentsSummary>
Reboot Appliance Manager

Rebootstheappliancemanager.
Example 3-16. Reboot appliance
Request:
POST https://<nsxmgr-ip>/api/1.0/appliance-management/system/restart
Query Appliance Manager CPU

Example 3-17. Query CPU
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/system/cpuinfo
ResponseBody
<cpuInfo>
<totalNoOfCPUs></totalNoOfCPUs>
<capacity></capacity>
<usedCapacity></usedCapacity>
<freeCapacity></freeCapacity>
</cpuInfo>
VMware, Inc.
41
Query Appliance Manager Uptime

Example 3-18. Query uptime
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/system/uptime
ResponseBody
<> days, <> hours, <> minutes
Query Appliance Manager Memory

Example 3-19. Query memory
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/system/meminfo
ResponseBody
<memInfo>
<totalMemory>11996 MB</totalMemory>
<usedMemory>6524 MB</usedMemory>
<freeMemory>5471 MB</freeMemory>
<usedPercentage>54</usedPercentage>
</memInfo>
Query Appliance Manager Storage

Example 3-20. Query storage
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/system/storageinfo
ResponseBody
<storageInfo>
<totalStorage></totalStorage>
<usedStorage></usedStorage>
<freeStorage></freeStorage>
</storageInfo>
Working with Network Settings

Query Network Information
Retrievesnetworkinformationsuchasconfiguredhostname,IPaddress,andDNSsettings.
Example 3-21. Query network details
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/system/network
ResponseBody
<network>
<hostName></hostName>
<domainName></domainName>
42
VMware, Inc.
<networkIPv4AddressDto>
<ipv4NetMask></ipv4NetMask>
<ipv4Gateway></ipv4Gateway>
</networkIPv4AddressDto>
<networkIPv6AddressDto>
<ipv6PrefixLength></ipv6PrefixLength>
<ipv6Gateway></ipv6Gateway>
</networkIPv6AddressDto>
<dns>
<domainList></domainList>
</dns>
</network>
Configure DNS Servers

ConfiguresDNSservers.
Example 3-22. Configure DNS
Request:
PUT https://<nsxmgr-ip>/api/1.0/appliance-management/system/network/dns
RequestBody
<dns>
<domainList></domainList>
</dns>
Delete DNS Servers

DeletesDNSservers.
Example 3-23. Configure DNS
Request:
DELETE https://<nsxmgr-ip>/api/1.0/appliance-management/system/network/dns
Working with Time Settings

Configure Time Settings
YoucaneitherconfiguretimeorspecifytheNTPservertobeusedfortimesynchronization.
Example 3-24. Configure time
Request:
PUT https://<nsxmgr-ip>/api/1.0/appliance-management/system/timesettings
ResponseBody
<timeSettings>
<ntpServer>
<string></string>
</ntpServer>
VMware, Inc.
43
<datetime></datetime>
<timezone></timezone>
</timeSettings>
Query Time Settings

RetrievestimesettingsliketimezoneorcurrentdateandtimewithNTPserver,ifconfigured.
Example 3-25. Query time settings
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/system/timesettings
ResponseBody
<timeSettings>
<ntpServer>
<string></string>
<string></string>
</ntpServer>
<datetime></datetime>
<timezone></timezone>
</timeSettings>
Delete Time Settings

DeletesNTPserver.
Example 3-26. Delete NTP
Request:
DELETE https://<nsxmgr-ip>/api/1.0/appliance-management/system/timesettings/ntp
Working with Locale Settings

Configure Locale
Configureslocale.
Example 3-27. Configure locale
Request:
PUT https://<nsxmgr-ip>/api/1.0/appliance-management/system/locale
RequestBody
<locale>
<language>en</language>
<country>US</country>
</locale>
Query Locale
Retrieveslocaleinformation.
Example 3-28. Query locale
Request:
44
VMware, Inc.
GET https://<nsxmgr-ip>/api/1.0/appliance-management/system/locale
ResponseBody
<locale>
<language>en</language>
<country>US</country>
</locale>
Working with Syslog Servers

Ifyouspecifyasyslogserver,NSXManagersendsallauditlogsandsystemeventsfromNSXManagertothe
syslogserver.
Configure Syslog Servers

Configuressyslogservers.
Example 3-29. Configure syslog
Request:
PUT https://<nsxmgr-ip>/api/1.0/appliance-management/system/syslogserver
RequestBody
<syslogserver>
<syslogServer></syslogServer>
<port></port>
<protocol></protocol>
</syslogserver>
Query Syslog Servers

Retrievessyslogservers.
Example 3-30. Query syslog
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/system/syslogserver
ResponseBody
<syslogserver>
<syslogServer></syslogServer>
<port></port>
<protocol></protocol>
</syslogserver>
Delete Syslog Servers

Deletessyslogservers.
Example 3-31. Delete syslog
Request:
DELETE https://<nsxmgr-ip>/api/1.0/appliance-management/system/syslogserver
VMware, Inc.
45
Components Management
Query Components
RetrievesallApplianceManagercomponents.
Example 3-32. Query components
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/components
ResponseBody
<components>
<component>
<name></name>
<status></status>
<enabled>true</enabled>
<usedBy>
<string></string>
</usedBy>
</component>
...
<component>
<name></name>
<status></status>
<usedBy>
<string></string>
</usedBy>
<componentGroup>
</componentGroup>
</component>
</components>
Query Specific Component

RetrievesdetailsforthespecifiedcomponentID.
Example 3-33. Query component
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/components/component/componentID
ResponseBody
<component>
<name></name>
<description> Manager</description>
<status></status>
<enabled></enabled>
<uses>
<string></string>
<string></string>
</uses>
46
VMware, Inc.
<usedBy/>
<versionInfo>
<majorVersion></majorVersion>
<minorVersion></minorVersion>
<patchVersion></patchVersion>
<buildNumber></buildNumber>
</versionInfo>
</component>
Query Component Dependencies

RetrievesdependencydetailsforthespecifiedcomponentID.
Example 3-34. Query component dependencydetails
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/components/componentID/dependencies
ResponseBody
<list>
<string>VPOSTGRES</string>
<string>RABBITMQ</string>
</list>
Query Specific Component Dependents

Retrievesdependents forthespecifiedcomponentID.
Example 3-35. Query component dependents
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/components/componentID/dependents
ResponseBody
<list>
<string></string>
<string></string>
</list>
Query Component Status

RetrievescurrentstatusforthespecifiedcomponentID.
Example 3-36. Query component status
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/components/componentID/status
ResponseBody
<result>
<result class="status"></result>
<operationStatus></operationStatus>
</result>
VMware, Inc.
47
Toggle Specific Component Status

Togglescomponentstatus.
Example 3-37. Toggle status
Request:
POST https://<nsxmgr-ip>/api/1.0/appliance-management/components/componentID/toggleStatus/command
Working with Backup and Restore

YoucanbackupandrestoreyourNSXManagerdata,whichcanincludesystemconfiguration,events,and
auditlogtables.Configurationtablesareincludedineverybackup.Backupsaresavedtoaremotelocation
thatmustbeaccessiblebytheNSXManager.
Forinformationonbackipngupcontrollerdata,seeBackupControllerDataonpage 81.
Configure Backup Settings

ConfiguresbackupontheApplianceManager.
Example 3-38. Configure backup
Request:
PUT https://<nsxmgr-ip>/api/1.0/appliance-management/backuprestore/backupsettings
RequestBody
<backupRestoreSettings>
<ftpSettings>
<transferProtocol></transferProtocol>
<hostNameIPAddress></hostNameIPAddress>
<port></port>
<userName></userName><password></password>
<backupDirectory></backupDirectory>
<filenamePrefix></filenamePrefix>
<passiveMode></passiveMode>
<useEPRT></useEPRT>
<useEPSV></useEPSV>
</ftpSettings>
<backupFrequency>
<frequency></frequency>
<dayOfWeek></dayOfWeek>
<hourOfDay></hourOfDay>
<minuteOfHour></minuteOfHour>
</backupFrequency>
<excludeTables>
<excludeTable></excludeTable>
</excludeTables>
</backupRestoreSettings>
where:
48
transferProtocol:FTP,SFTP
frequency:weekly,daily,hourly
dayOfWeek:SUNDAY,MONDAY,....,SATURDAY
HourofDay:[024[
Minuteofhour:[060[
VMware, Inc.
ExcludeTables:AUDIT_LOG,SYSTEM_EVENTS,FLOW_RECORDS
ThetablesspecifiedintheexcludeTablesparameterarenotbackedup.
Ifyousetupscheduledbackups,theoutputis:
<scheduledBackupTaskDetails>
<nextExecutionTime></nextExecutionTime>
</scheduledBackupTaskDetails>
Youcanusethefollowingcommandsindividuallytoconfigureaspecificsetting:
ConfigureFTP:
PUThttps://<nsxmgrip>/1.0/appliancemanagement/backuprestore/backupsettings/ftpsettings
Specifytablesthatneednotbebackedup:
PUThttps://<nsxmgrip>/1.0/appliancemanagement/backuprestore/backupsettings/excludedata
Setbackupschedule:
PUThttps://<nsxmgrip>/1.0/appliancemanagement/backuprestore/backupsettings/schedule
Deletebackupschedule
DELETEhttps://<nsxmgrip>/1.0/appliancemanagement/backuprestore/backupsettings/schedule
Configure On-Demand Backup

YoucantakeabackupNSXdataatanygiventime.
Example 3-39. On-demand backup
Request:
POST https://<nsxmgr-ip>/api/1.0/appliance-management/backuprestore/backup
Query Backup Settings

Retrievesbackupsettings.
Example 3-40. Query backup
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/backuprestore/backupsettings
ResponseBody
<backupRestoreSettings>
<ftpSettings>
<transferProtocol></transferProtocol>
<hostNameIPAddress></hostNameIPAddress>
<port></port>
<userName></userName><password></password>
<backupDirectory></backupDirectory>
<filenamePrefix></filenamePrefix>
<passiveMode></passiveMode>
<useEPRT></useEPRT>
<useEPSV></useEPSV>
</ftpSettings>
<backupFrequency>
<frequency></frequency>
<dayOfWeek></dayOfWeek>
<hourOfDay></hourOfDay>
<minuteOfHour></minuteOfHour>
</backupFrequency>
<excludeTables>
VMware, Inc.
49
</excludeTables>
</backupRestoreSettings>
Delete Backup Configuration

DeletesApplianceManagerbackupconfiguration.
Example 3-41. Delete backup settings
Request:
DELETE https://<nsxmgr-ip>/api/1.0/appliance-management/backuprestore/backupsettings
Query Available Backups

Retrieveslistofallbackupsavailableatconfiguredbackuplocation.
Example 3-42. Query backup
Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/backuprestore/backups
ResponseBody:
<list>
<backupFileProperties>
<fileName></fileName>
<fileSize></fileSize>
<creationTime></creationTime>
</backupFileProperties>
...
<backupFileProperties>
<fileName></fileName>
<fileSize></fileSize>
<creationTime></creationTime>
</backupFileProperties>
</list>
Restore Data
Restoresbackupfromspecifiedfile.
Example 3-43. Restore data
Request:
POST https://<nsxmgr-ip>/api/1.0/appliance-management/backuprestore/restore?restoreFile=filename
Working with Tech Support Logs

Generate Tech Support Logs
Generatestechsupportlogs.Responseheadercontainsthelocationofthecreatedtechsupportfile.
Example 3-44. Generate tech support log
Request:
50
VMware, Inc.
POST https://<nsxmgr-ip>/api/1.0/appliance-management/techsupportlogs/componentID
Download Tech Support Logs

Downloadstechsupportlogs.Responseheadercontainsthelocationofthecreatedtechsupportfile.
Example 3-45. Generate tech support log
Request:
POST https://<nsxmgr-ip>/api/1.0/appliance-management/techsupportlogs/filename
Querying NSX Manager Logs

YoucanretrieveNSXManagersystemeventandauditlogs.
Get NSX Manager System Events

YoucanretrieveNSXManagersystemevents.
Example 3-46. Get NSXManagersystemevents
Request:
GET https://<vsm-ip>/api/2.0/systemevent?startIndex=0\&pageSize=10
Where
start indexisanoptionalparameterwhichspecifiesthestartingpointforretrievingthelogs.Ifthis
parameterisnotspecified,logsareretrievedfromthebeginning.
page sizeisanoptionalparameterthatlimitsthemaximumnumberofentriesreturnedbytheAPI.The
defaultvalueforthisparameteris256andthevalidrangeis11024.
Get NSX Manager Audit Logs

YoucangetNSXManagerauditlogs.
Example 3-47. GetNSXManagerauditlogs
Request:
GET https://<nsxmgr-ip>/api/2.0/logging/auditlog?startIndex=0\&pageSize=10
Where
start indexisanoptionalparameterwhichspecifiesthestartingpointforretrievingthelogs.Ifthis
parameterisnotspecified,logsareretrievedfromthebeginning.
Working with Support Notifications

Query Notifications
Retrievesallsystemgeneratednotifications.
VMware, Inc.
51
Example 3-48. Query notifications

Request:
GET https://<nsxmgr-ip>/api/1.0/appliance-management/notifications
ResponseBody:
<notifications>
<notification>
<id></id>
<notification></notification>
<notificationStatus></notificationStatus>
</notification>
</notifications>
Delete all Notifications

Deletesallsystemgeneratednotificationsregardlessofwhethertheyhavebeenackowledged.
Example 3-49. Delete notifications
Request:
DELETE https://<nsxmgr-ip>/api/1.0/appliance-management/notifications
Acknowledge Notifications
Acknowledgesanotification.Thenotificationisthendeletedfromthesystem.
Example 3-50. Ackonwledge notification
Request:
POST https://<nsxmgr-ip>/api/1.0/appliance-management/notifications/NotificationId/acknowledge
52
VMware, Inc.
Grouping Objects
The Grouping feature enables you to create custom containers to which you can assign resources.
WorkingwithSecurityGroupsonpage 53
WorkingwithTagsonpage 59
WorkingwithIPsetsonpage 60
WorkingwithMACsetsonpage 62
WorkingwithServicesonpage 63
WorkingwithServiceGroupsonpage 66
WorkingwithIPPoolsonpage 69
QueryingObjectIDsonpage 73
Working with Security Groups

AsecuritygroupisacollectionofassetsorgroupingobjectsfromyourvSphereinventory.
Create Security Group

Youcancreateanewsecuritygrouponaglobalscope.Inheritanceisnotallowed.
TheresponseofthecallhasLocationheaderpopulatedwiththeURIusingwhichthecreatedobjectcanbe
fetched.
Example 4-1. Create new security group
Request:
POST https://<nsxmgr-ip>/api/2.0/services/securitygroup//bulk/<scopeID>
RequestBody:
<securitygroup>
<vsmUuid></vsmUuid>
<type>
</type>
<name></name>
VMware, Inc.
53
<scope>
<id></id>
<name></name>
</scope>
<clientHandle></clientHandle>
<extendedAttributes/>
<member>
<vsmUuid></vsmUuid>
<type>
</type>
<name></name>
<scope>
<id></id>
<name></name>
</scope>
</member>
<member>
...
</member>
<member>
...
</member>
<excludeMember>
<vsmUuid></vsmUuid>
<type>
</type>
<name></name>
<scope>
<id></id>
<name></name>
</scope>
</excludeMember>
<excludeMember>
...
</excludeMember>
<excludeMember>
...
</excludeMember>
<dynamicMemberDefinition>
<dynamicSet>
<operator></operator>
<dynamicCriteria>
<key></key>
<criteria></criteria>
<value></value>
54
VMware, Inc.
Chapter 4 Grouping Objects
</dynamicCriteria>
<dynamicCriteria>
....
</dynamicCriteria>
</dynamicSet>
<dynamicSet>
....
</dynamicSet>
</dynamicMemberDefinition>
</securitygroup>
wheredynamicMemberDefinitionincudesthefollowing:
dynamicSetrepresentsarulesetasrepresentedontheUI.Therecanbemultipledynamicsetsinside
dynamicmemberdefinition.
operator:specifieshowtocombinetheresultsoftwodynamicsets.Theoperatorpresentinthisdynamic
setisusedtocombinetheresultofthedynamicset(s)evalutedpreviouslywiththeresultofthisdynamic
set.
Thecombiningtakesplaceserially.ConsiderthreedynamicsetsDS1,DS2andDS3
ThepossiblevaluesforthisfieldareANDandOR.
dynamicCriteriadefinestheactualcriteriaforthemembership.TherecanbemultipledynamicCriteria
insideadynamicSet.
AllthedynamicCriteriainadynamicSetmusthavethesameoperator.
keyspecifiestheobjectandtheattributeonwhichtheconditionhastobeapplied.Eg:VM.name.The
keycanbeanyobjectattributethatissupportedbytheDynamicMemberAPI.
criteriaspecifiestheconditionthathastoappliedtothekeywithrespecttothevalue.Differentconditions
aredefinedfordifferentdatatypes.Forstringdatatype,theconditioncanbe=,!=,contains,doesnot
contain,etc.Fornumericaldatatypes,conditioncanbe=,!=,<,etc.
valueisastringtowhichkeyhastocomparedusingthecriteria.
Query Security Groups

Youcanretrieveallthesecuritygroupsthathavebeencreatedonaspecificscope.
Duetothedynamicnatureofsecuritygroups,changestothevirtualmachinelistingofsecuritygroupsor
changestotheservicesassociatedwithavirtualmachinearelikelytogetreflectedafewsecondsafterthe
securitygroupchange.Hence,thereshouldadelayofafewsecondsbetweenasecuritygroupmodification
andrunningaGETcallonit.
Example 4-2. Query all security groups on NSX Manager
Request:
GET https://<nsxmgr-ip>/api/2.0/services/securitygroup/scope/<scopeID>
ResponseBody
<list>
<securitygroup>
<nsxmgrUuid></nsxmgrUuid>
<type>
VMware, Inc.
55
</type>
<name></name>
<scope>
<id></id>
<name></name>
</scope>
<member>
<type>
</type>
<name></name>
<scope>
<id></id>
<name></name>
</scope>
</member>
<member>
...
</member>
<member>
...
</member>
<excludeMember>
<type>
</type>
<name></name>
<scope>
<id></id>
<name></name>
</scope>
</excludeMember>
<excludeMember>
...
</excludeMember>
<excludeMember>
...
</excludeMember>
<dynamicMemberDefinition>
<dynamicSet>
<dynamicCriteria>
<key></key>
<criteria></criteria>
56
VMware, Inc.
<value></value>
</dynamicCriteria>
<dynamicCriteria>
....
</dynamicCriteria>
</dynamicSet>
<dynamicSet>
....
</dynamicSet>
</dynamicMemberDefinition>
</securitygroup>
<securitygroup>
....
</securitygroup>
<securitygroup>
....
</securitygroup>
</list>
where<scopeID>istheNSXManagerID.
Thefollowingcommandretrievesdetailsforthespecifiedsecuritygroup:
GET https://<nsxmgr-ip>/api/2.0/services/securitygroup/<securityGroupID>
ThefollowingcommadretrievesallinternalsecuritygroupsontheNSXManager.Internalsecuritygroupsare
usedinternallybythesystemandarenotcreatedormanagedbyendusers.Youshouldnotmodifythese.
GET https://<nsxmgr-ip>/api/2.0/services/securitygroup/internal/scope/<scopeID>
Query Members for a Scope

Youcanretrievealistofapplicablememberelementsthatcanbeaddedtosecuritygroupscreatedona
particularscope.Becausesecuritygroupallowsonlyspecifictypeofcontainerelementstobeadded,thislist
helpsyoudetermineallpossiblevalidelementsthatcanbeadded.
Example 4-3. Get members for a security group scope
Request:
GET https://<nsxmgr-ip>/api/2.0/services/securitygroup/scope/<scopeID>/memberTypes
ResponseBody:
<list>
<basicinfo>
<type>
</type>
<name></name>
<scope>
<id></id>
<name></name>
</scope>
<clientHandle />
<extendedAttributes />
VMware, Inc.
57
</basicinfo>
<basicinfo>
...
</basicinfo>
<basicinfo>
...
</basicinfo>
</list>
NotethatthisAPIcommandrequiresaslash(/)attheend.
Usethefollowingcommandtoretrievemembersofaspecifictypeunderascope:
GET https://<nsxmgr-ip>/api/2.0/services/securitygroup/scope/<scopeID>/members/memberType
Query Security Group Objects

Retrieveslistofentities(IpNodes,MacNodes,VmNodes,orVnicNodes)thatbelongtoaspecificsecurity
group.
Example 4-4. Query security group members
Request:
GET https://<nsxmgr-ip>/api/2.0/services/securitygroup/{securityGroupId}/translation/virtualmachines
GET https://<nsxmgr-ip>/api//2.0/services/securitygroup/{securityGroupId}/translation/ipaddresses
GET https://<nsxmgr-ip>/api//2.0/services/securitygroup/{securityGroupId}/translation/macaddresses
GET https://<nsxmgr-ip>/api//2.0/services/securitygroup/{securityGroupId}/translation/vnics
Query Security Groups that contain a Virtual Machine

Retrieveslistofsecuritygroupstowhichthespecifiedvirtualmachinebelongsto.
Example 4-5. Query Security Groups that contain a Virtual Machine
Request:
GET https://<nsxmgr-ip>/api/2.0/services/securitygroup/lookup/virtualmachine/<virtualMachineId>
Modify a Security Group

Tomodifyasecuritygroup,youmustqueryitfirstandthenmodifytheoutput.Themodifiedoutputcanthen
bespecifiedastherequestbody.
Example 4-6. Modify a security group
Request:
PUT https://<nsxmgr-ip>/api/2.0/services/securitygroup/bulk/<securitygroup-id>
RequestBody:
SeeExample 41.
Delete a Security Group

Youcandeleteanexistingsecuritygroup.
58
VMware, Inc.
Example 4-7. Delete a security group

Request:
DELETE https://<nsxmgr-ip>/api/2.0/services/securitygroup/<securitygroup-id>
Working with Tags

You can view security tags applied on a virtual machine or create a user defined security tag.
Create Security Tag

Createsanewsecuritytag.
Example 4-8. Create tag
Request:
POST https://<nsxmgr-ip>/api/2.0/services/securitytags/tag
RequestBody:
<securityTag>
<objectTypeName>SecurityTag</objectTypeName>
<type><typeName>SecurityTag</typeName></type>
<name>TAG_NAME</name>
<description>description of the tag</description>
</securityTag>
Query Security Tags

Retrievessecuritytags.
Example 4-9. Query tag
Request:
GET https://<nsxmgr-ip>/api/2.0/services/securitytags/tag
ResponseBody:
<securityTags>
<securityTag>
<objectId>tag-id</objectId>
<objectTypeName>SecurityTag</objectTypeName>
<type><typeName>SecurityTag</typeName></type>
<name>TAG_NAME</name>
<description>description of the tag</description>
</securityTag>
</securityTags>
Apply Tag to Virtual Machine

Appliessecuritytagtovirtualmachine.
Example 4-10. Apply tag
Request:
VMware, Inc.
59
PUT https://<nsxmgr-ip>/api/2.0/services/securitytags/tag/{TagIdentifierString}/vm/{vmMoid}
Detach Tag from Virtual Machine

Detachessecuritytagfromvirtualmachine.
Example 4-11. Detach tag
Request:
DELETE https://<nsxmgr-ip>/api/2.0/services/securitytags/tag/{TagIdentifierString}/vm/{vmMoid}
Delete Tag from Virtual Machine

Deletestags.
Example 4-12. Delete tag
Request:
DELETE https://<nsxmgr-ip>/api/2.0/services/securitytags/tag/{TagIdentifierString}
Working with IPsets

YoucangroupasetofIPaddressesintoanIPSet.
Create an IPset
AllIPsetsarecreatedontheglobalscope.
Example 4-13. Create IPset
Request:
POST hnsxmgrttps://<nsxmgr-ip>/api/2.0/services/ipset/<scope-moref>
RequestBodyExample:
<ipset>
<objectId />
<type>
<typeName />
</type>
<description>
New Description
</description>
<name>TestIPSet2</name>
<revision>0</revision>
<objectTypeName />
<value>10.112.201.8-10.112.201.14</value>
</ipset>
where<scopemoref>isglobalroot0.
Intherequestbodyexample,arangeofIPaddressesonthe10.112netisspecified(201.8to201.14).
Query IPsets
YoucanretrievealltheIPsets.
60
VMware, Inc.
Example 4-14. List IPsets on a scope

Request:
GET https://<nsxmgr-ip>/api/2.0/services/ipset/scope/<scope-moref>
Query Details of an IPset

YoucanretrievedetailsaboutanIPset.
Example 4-15. Get details of an IPset
Request:
GET https://<nsxmgr-ip>/api/2.0/services/ipset/<ipset-id>
The<ipset-id>isasreturnedbylistingtheIPsetonascope.
Modify an IPset
YoucanmodifyanexistingIPsetandretrievedetailsaboutthemodifiedIPset.
Example 4-16. Modify an IPset
Request:
PUT https://<nsxmgr-ip>/api/2.0/services/ipset/<ipset-id>
RequestBodyExample:
<ipset>
<objectId />
<type>
<typeName />
</type>
<description>
New Description
</description>
<name>TestIPSet2</name>
<objectTypeName />
<value>10.112.201.8-10.112.201.21</value>
</ipset>
The<ipset-id>isasreturnedbylistingtheIPsetonascope.Intherequestbodyexample,theIPaddressrange
isdoubled.
Delete an IPset
YoucandeleteanIPset.Thetrailingbooleanflagindicatesforcedorunforceddelete.Withforceddelete,the
objectisdeletedevenifusedinotherplacessuchasfirewallrules,causinginvalidreferrals.Forunforced
delete,theobjectisdeletedonlyifitisnotusedbyotherconfiguration;otherwisethedeletefails.
Example 4-17. Delete an IPset
Request:
DELETE https://<nsxmgr-ip>/api/2.0/services/ipset/<ipset-id>?force=<true|false>
VMware, Inc.
61
Working with MACsets

Create a MACset on a Scope
YoucancreateaMACsetonthespecifiedscope.Onsuccess,theAPIreturnsastringidentifierforthenew
MACset.
Example 4-18. Create MACset on a scope
Request:
POST https://<nsxmgr-ip>/api/2.0/services/macset/scope/<scope-moref>
RequestBodyExample:
<macset>
<objectId />
<type>
<typeName />
</type>
<description>Some description</description>
<name>TestMACSet1</name>
<objectTypeName />
<value>22:33:44:55:66:77,00:11:22:33:44:55,aa:bb:cc:dd:ee:ff</value>
</macset>
where<scopemoref>isglobalroot0.Intherequestbodyexample,acommaseparatedlistofMACaddresses
isspecified.
List MACsets Created on a Scope

YoucanretrievealltheMACsetsthatwerecreatedonthespecifiedscope.
Example 4-19. List MACsets on a scope
Request:
GET https://<nsxmgr-ip>/api/2.0/services/macset/<scope-moref>
Get Details of a MACset

YoucanretrievedetailsaboutaMACset.
Example 4-20. Get details of a MACset
Request:
GET https://<nsxmgr-ip>/api/2.0/services/macset/<macset-id>
The<MACset-id>isasreturnedbylistingtheMACsetonascope.
Modify an Existing MACset

YoucanmodifyanexistingMACsetandretrievedetailsaboutthemodifiedMACset.
Example 4-21. Modify details of a MACsets
Request:
62
VMware, Inc.
PUT https://<nsxmgr-ip>/api/2.0/services/MACset/<MACset-id>
RequestBody:
<macset>
<objectId />
<type>
<typeName />
</type>
<name>TestMACSet1</name>
<objectTypeName />
<value>22:33:44:55:66:77,00:11:22:33:44:55</value>
</macset>
The<MACset-id>isasreturnedbylistingtheMACsetonascope.Intherequestbodyexample,oneMAC
addressfewerisspecified.
Delete a MACset
YoucandeleteaMACset.Thetrailingbooleanflagindicatesforcedorunforceddelete.Withforceddelete,the
objectisdeletedevenifusedinotherplacessuchasfirewallrules,causinginvalidreferrals.Forunforced
delete,theobjectisdeletedonlyifitisnotusedbyotherconfiguration;otherwisethedeletefails.
Example 4-22. Delete a MACset
Request:
DELETE https://<nsxmgr-ip>/api/2.0/services/macset/<macset-id>
Working with Services

List Services on a Scope
Youcanretrievealistofservicesthathavebeencreatedonthescopespecifiedbymanagedobjectreference
<moref>.
Example 4-23. List services on a given scope
Request:
GET https://<nsxmgr-ip>/api/2.0/services/application/scope/<moref>
Anonexistentscoperesultsina400BadRequesterror.
Add Service to a Scope

Youcancreateanewserviceonthespecifiedscope.
Example 4-24. Add a service to a scope
Request:
POST https://<nsxmgr-ip>/api/2.0/services/application/<moref>
RequestBody:
<application>
<objectId/>
<type>
<typeName/>
VMware, Inc.
63
</type>
<name>TestApplication1</name>
<objectTypeName/>
<element>
<applicationProtocol>UDP</applicationProtocol>
<value>9,22-31,44</value>
</element>
</application>
ForapplicationProtocol,possiblevaluesare:
TCP
UDP
ORACLE_TNS
FTP
SUN_RPC_TCP
SUN_RPC_UDP
MS_RPC_TCP
MS_RPC_UDP
NBNS_BROADCAST
NBDG_BROADCAST
OnlyTCPandUDPsupportcommaseparatedportnumbersanddashseparatedportranges.Otherprotocols
supportasingleportnumberonly.
Onsuccess,thiscallreturnsastringidentifierforthenewlycreatedapplication,forinstanceApplication-1.The
locationheaderinthereplycontainstherelativepathofthecreatedApplicationandcanbeusedforfurther
GET,PUT,andDELETEcalls.
Get Details of a Service

Youcanretrievedetailsabouttheservicespecifiedby<applicationgroup-id>asreturnedbythecallshownin
Example 424.
Example 4-25. Retrieve details about a service
Request:
GET https://<nsxmgr-ip>/api/2.0/services/application/<application-id>
ResponseBody:
<application>
<objectId>
application-45
</objectId>
<type>
<typeName>
Application
</typeName>
</type>
<name>
TestApplication1
</name>
<revision>
1
</revision>
<objectTypeName>
Application
</objectTypeName>
64
VMware, Inc.
<scope>
<id>
datacenter-2
</id>
<objectTypeName>
Datacenter
</objectTypeName>
<name>
AmolDC
</name>
</scope>
<inheritanceAllowed>
false
</inheritanceAllowed>
<element>
<applicationProtocol>
UDP
</applicationProtocol>
<value>
9,22-31,44
</value>
</element>
</application>
AnonexistentapplicationIDresultsina404NotFounderror.
Modify Service Details

Youcanmodifythename,description,applicationProtocol,orportvalueofaservice.
Example 4-26. Modify application
Request:
PUT https://<nsxmgr-ip>/api/2.0/services/application/<application-id>
RequestBody:
<application>
<objectId>Application-1</objectId>
<type>
<typeName>Application</typeName>
</type>
<name>TestApplication</name>
<objectTypeName>Application</objectTypeName>
<element>
<applicationProtocol>TCP</applicationProtocol>
<value>10,29-30,45</value>
</element>
</application>
ThecallreturnsXMLdescribingthemodifiedservice.
Delete Service
Youcandeleteaservicebyspecifyingits<applicationgroup-id>.Theforce=flagindicatesifthedeleteshouldbe
forcedorunforced.Forforceddeletes,theobjectisdeletedirrespectiveofitsuseinotherplacessuchasfirewall
rules,whichinvalidatesotherconfigurationsreferringtothedeletedobject.Forunforceddeletes,theobjectis
deletedonlyifitisnotbeingusedbyanyotherconfiguration.Thedefaultisunforced(false).
Example 4-27. Delete service
Request:
VMware, Inc.
65
DELETE https://<nsxmgr-ip>/api/2.0/services/application/<application-id>?force=<true|false>
Working with Service Groups

Add Service Group
Youcancreateanewservicegrouponthespecifiedscope.
Example 4-28. Add a service group to a scope
Request:
POST https://<nsxmgr-ip>/api/2.0/services/applicationgroup/<scope-moref>
RequestBody:
<applicationGroup>
<name>TestApplication1</name>
<inheritanceAllowed>false</inheritanceAllowed>
</applicationGroup>
Query Service Groups

Youcanretrievealistofservicegroupsthathavebeencreatedonthescopespecifiedbymanagedobject
reference<moref>.
Example 4-29. List service groups on a given scope
Request:
GET https://<nsxmgr-ip>/api/2.0/services/applicationgroup/<scope-moref>
ResponseBody:
<list>
<applicationGroup>
<objectId>applicationgroup-1</objectId>
<type>
<typeName>ApplicationGroup</typeName>
</type>
<name>testglobalAG</name>
<objectTypeName>ApplicationGroup</objectTypeName>
<scope>
<id>globalroot-0</id>
<objectTypeName>GlobalRoot</objectTypeName>
<name>Global</name>
</scope>
<member>
<objectId>application-37</objectId>
<type>
</type>
<name>SMTP</name>
<scope>
66
VMware, Inc.
<name>Global</name>
</scope>
</member>
</applicationGroup>
</list>
Anonexistentscoperesultsina400BadRequesterror.
Query Details of a Service Group

Youcanretrievedetailsabouttheservicegroup specifiedby<applicationgroup-id>asreturnedbythecallshown
inExample 424.
Example 4-30. Retrieve details about a service group
Request:
GET https://<nsxmgr-ip>/api/2.0/services/applicationgroup/<applicationgroup-id>
AnonexistentapplicationIDresultsina404NotFounderror.
Modify Service Group Details

Youcanmodifythename,description,applicationProtocol,orportvalueofaservicegroup.
Example 4-31. Modify service group
Request:
PUT https://<nsxmgr-ip>/api/2.0/services/applicationgroup/<applicationgroup-id>
RequestBody:
<applicationGroup>
<type>
</type>
<name>testglobalAG-updated</name>
<description>Updated with description</description>
<scope>
<name>Global</name>
</scope>
<member>
<type>
</type>
<name>SMTP</name>
<scope>
<name>Global</name>
</scope>
VMware, Inc.
67
</member>
</applicationGroup>
ThecallreturnsXMLdescribingthemodifiedservice.
Delete Service Group from Scope

Youcandeleteaservicegroup byspecifyingits<applicationgroup-id>.Theforce=flagindicatesifthedelete
shouldbeforcedorunforced.Forforceddeletes,theobjectisdeletedirrespectiveofitsuseinotherplacessuch
asfirewallrules,whichinvalidatesotherconfigurationsreferringtothedeletedobject.Forunforceddeletes,
theobjectisdeletedonlyifitisnotbeingusedbyanyotherconfiguration.Thedefaultisunforced(false).
Example 4-32. Delete service group
Request:
DELETE https://<nsxmgr-ip>/api/2.0/services/applicationgroup/<applicationgroup-id>?force=<true|false>
Working with the Members of a Service Group

Query Service Group Members
Youcangetalistofmemberelementsthatcanbeaddedtotheservicegroupscreatedonaparticularscope.
Sinceservicegroupallowsonlyeitherservicesorotherservicegroupsasmemberstobeadded,thishelpsyou
getalistofallpossiblevalidelementsthatcanbeaddedtotheservice.
Example 4-33. Retrieve member elements
Request:
GET https://<nsxmgr-ip>/api/2.0/services/applicationgroup/scope/<scope-moref>/members
ResponseBody:
<list>
<basicinfo>
<type>
</type>
<name>AGDC-1</name>
<description>AG created in DC</description>
<scope>
<id>datacenter-2</id>
<objectTypeName>Datacenter</objectTypeName>
<name>Datacenter</name>
</scope>
</basicinfo>
<basicinfo>
<type>
</type>
<name>ORACLE_TNS</name>
<scope>
68
VMware, Inc.
<name>Global</name>
</scope>
</basicinfo>
<basicinfo>
<type>
</type>
<name>SMTP</name>
<scope>
<name>Global</name>
</scope>
</basicinfo>
</list>
Add a Member to the Service Group

Youcanaddamembertotheservicegroup.
Example 4-34. Add member
Request:
PUT https://<nsxmgr-ip>/api/2.0/services/applicationgroup/<applicationgroup-id>/members/
<member-moref>
Delete a Member from the Service Group

Youcandeleteamemberfromtheservicegroup.
Example 4-35. Delete member
Request:
DELETE https://<nsxmgr-ip>/api/2.0/services/applicationgroup/<applicationgroup-id>/members/
<member-moref>
Working with IP Pools

YoucancreateapoolofIPaddresses.
Add an IP Pool
Example 4-36. Add IP pool
Request:
POST https://<nsxmgr-ip>/api/2.0/services/ipam/pools/scope/<scopeId>
RequestBody:
<ipamAddressPool>
<name>rest-ip-pool-1</name>
<prefixLength>23</prefixLength>
<gateway>192.168.1.1</gateway>
VMware, Inc.
69
<dnsSuffix>eng.vmware.com</dnsSuffix>
<dnsServer1>10.112.0.1</dnsServer1>
<ipRanges>
<ipRangeDto>
<startAddress>192.168.1.2</startAddress>
<endAddress>192.168.1.3</endAddress>
</ipRangeDto>
</ipRanges>
</ipamAddressPool>
wherescopidisglobalroot0.
Query IP Pool Details

RetrievesdetailsaboutthespecifiedIPpool.
Example 4-37. Query IP Pool
Request:
GET https://<nsxmgr-ip>/api/2.0/services/ipam/pools/<pool-ID>
ResponseBody:
<ipamAddressPool>
<objectId>ipaddresspool-1</objectId>
<objectTypeName>IpAddressPool</objectTypeName>
<vsmUuid>4237BA90-C373-A71A-9827-1673BFA29498</vsmUuid>
<type>
<typeName>IpAddressPool</typeName>
</type>
<ipRanges>
<ipRangeDto>
<id>iprange-1</id>
</ipRangeDto>
</ipRanges>
<totalAddressCount>2</totalAddressCount>
<usedAddressCount>0</usedAddressCount>
</ipamAddressPool>
Modify an IP Pool
TomodifyanIPpool,querytheIPpoolfirst.Thenmodifytheoutputandsenditbackastherequestbody.
Example 4-38. Query IP Pool
Request:
PUT https://<nsxmgr-ip>/api/2.0/services/ipam/pools/<pool-ID>
ResponseBody:
<ipamAddressPool>
70
VMware, Inc.
<type>
</type>
<ipRanges>
<ipRangeDto>
<id>iprange-1</id>
</ipRangeDto>
</ipRanges>
</ipamAddressPool>
Allocating a New IP Address

AllocatesanewIPaddressfromthespecifiedpool.
Example 4-39. Allocate new address
Request:
POST https://<nsxmgr-ip>/api/2.0/services/ipam/pools/<pool-ID>/ipaddresses
RequestBody:
<ipAddressRequest>
<allocationMode>ALLOCATE</allocationMode>
</ipAddressRequest>
Response Body:
<allocatedIpAddress>
<id>allocatedipaddress-1</id>
<ipAddress>192.168.1.2</ipAddress>
<allocationNote/>sample note</allocationNote>
</allocatedIpAddress>
Allocating a Specific IP Address

AllocatesaspecificIPaddressfromthespecifiedpool.
Example 4-40. Allocate new address
Request:
POST https://<nsxmgr-ip>/api/2.0/services/ipam/pools/<pool-ID>/ipaddresses
RequestBody:
<ipAddressRequest>
<allocationMode>RESERVE</allocationMode>
VMware, Inc.
71
</ipAddressRequest>
ResponseBody:
SeeExample 439.
Query all IP Pools on Scope

RetrievesallIPpoolsonthespecifiedscope.
Example 4-41. Query IP pools on scope
Request:
GET https://<nsxmgr-ip>/api/2.0/services/ipam/pools/<pool-ID>/ipaddresses
ResponseBody:
<ipamAddressPools>
<ipamAddressPool>
<type>
</type>
<ipPoolType>IPV4</ipPoolType>
<ipRanges>
<ipRangeDto>
<id>iprange-1</id>
</ipRangeDto>
</ipRanges>
<totalAddressCount>2</totalAddressCount>
<usedAddressCount>0</usedAddressCount>
<subnetId>subnet-1</subnetId>
</ipamAddressPool>
</ipamAddressPools>
Query Allocated IP Addresses

RetrievesallallocatedIPaddressesfromthespecifiedpool.
Example 4-42. Query allocated addresses
Request:
GET https://<nsxmgr-ip>/api/2.0/services/ipam/pools/scope/<scopeID>
ResponseBody:
<allocatedIpAddresses>
72
VMware, Inc.
<allocationNote>sample note</allocationNote>
<allocationNote>sample note</allocationNote>
</allocatedIpAddresses>
Release an IP Address
Example 4-43. Release IP address
Request:
DELETE https://<nsxmgr-ip>/api/2.0/services/ipam/pools/<pool-ID>/ipaddresses/<allocated-ip-address>
Delete an IP Pool
Example 4-44. Delete IP Pool
Request:
DELETE https://<nsxmgr-ip>/api/2.0/services/ipam/pools/<pool-ID>
Querying Object IDs

ThissectiondescribeshowtoretrievetheIDsfortheobjectsinyourvirtualinventory.
Query Datacenter MOID

1
Inawebbrowser,typethefollowing:
http://<vCenter-IP>/mob
Clickcontent.
ClickontherootFoldervalue.
ClickonthechildEntityvalue.
ThedatacenterMOIDisdisplayedontopofthewindow.
Query Datacenter ID
1
VMware, Inc.
Clickcontent.
73
ThedatacentervalueisthedatacenterID.
Query Host ID
1
Clickcontent.
Clickonthedatacentervalue.
Thehost valueisthehostID.
Query Portgroup ID
1
Clickcontent.
Clickonthehost value.
ThenetworkpropertyvalueistheportgroupID.
74
VMware, Inc.
Installing NSX Components
AftertheinstallationofNSXManager,youcaninstallothercomponentsasrequired..
InstallingLicensesonpage 75
WorkingwithNetworkVirtualizationComponentsonpage 76
WorkingwithVXLANforLogicalSwitchesonpage 77
WorkingwithServicesonpage 90
WorkingwithConflictingAgenciesonpage 97
UninstallingServicesonpage 98
Installing Licenses
You can install and assign an NSX for vSphere license after NSX Manager installation is complete by using the vSphere
Web Client.
BeforepurchasingandactivatinganNSXforvSpherelicense,youcaninstallandrunthesoftwarein
evaluationmode.Whenruninevaluationmode,intendedfordemonstrationandevaluationpurposes,NSX
componentsarecompletelyoperationalimmediatelyafterinstallation,donotrequireanylicensing
configuration,andprovidefullfunctionalityfor60daysfromthetimeyoufirstactivatethem.
1
LogintothevSphereWebClient.
ClickAdministration andthenclickLicenses.
ClicktheSolutions tab.
Fromthedropdownmenuatthetop,selectAssign a new license key.
Typethelicensekeyandanoptionallabelforthenewkey.
ClickDecode.
Decodethelicensekeytoverifythatitisinthecorrectformat,andthatithasenoughcapacitytolicense
theassets.
ClickOK.
What to do next
Obtain and install an NSX for vSphere license within the evaluation period.
VMware, Inc.
75
Working with Network Virtualization Components

Asthedemandsondatacenterscontinuetogrowandaccelerate,requirementsrelatedtospeedandaccessto
thedataitselfcontinuetogrowaswell.Inmostinfrastructures,virtualmachineaccessandmobilityusually
dependonphysicalnetworkinginfrastructureandthephysicalnetworkingenvironmentstheyresidein.This
canforcevirtualworkloadsintolessthanidealenvironmentsduetopotentiallayer2orlayer3boundaries,
suchasbeingtiedtospecificVLANs.
Networkvirtualizationallowsyoutoplacethesevirtualworkloadsonanyavailableinfrastructureinthe
datacenterregardlessoftheunderlyingphysicalnetworkinfrastructure.Thisnotonlyallowsincreased
flexibilityandmobility,butincreasedavailabilityandresilience.
Featureconfigurationismanagedataclusterlevel.Clusterpreparationcanbebrokendownintothe
following:
Installvibandnonvibrelatedaction:Beforeanyperhostconfigavibmustbeinstalledonthehost.The
featurecanusethistimetoperformotherbootstrappingtaskswhichdonotdependonvibinstallation.
e.g.vxlancreatesthevmknicpgandsetsupsomeopaquedata.
Postvibinstall:Prepareeachhostforthefeature.Inthecaseofvxlan,createvmknics.
Install Network Virtualization Components

Youinstallthenetworkinfrastructurecomponentsinyourvirtualenvironmentonaperclusterlevelforeach
vCenterserver,whichdeploystherequiredsoftwareonallhostsinthecluster.Thissoftwareisalsoreferred
toasanNSXvSwitch.Whenanewhostisaddedtothiscluster,therequiredsoftwareisautomaticallyinstalled
onthenewlyaddedhost.Afterthenetworkinfrastructureisinstalledonacluster,LogicalFirewallisenabled
onthatcluster.
Example 5-1. Install network virtualization
Request
POST https://<nsxmgr-ip>/api/2.0/nwfabric/configure
RequestBody
<nwFabricFeatureConfig>
<resourceConfig>
<resourceId>{CLUSTER MOID}</resourceId>
</resourceConfig>
</nwFabricFeatureConfig>
Upgrade Network Virtualization Components

AfterNSXManagerisupgradedtoNSXManager,previouslypreparedclustersmusthavethe6.0network
virtualizationcomponentsinstalled.
Example 5-2. Upgrade network virtualization
Request
PUT https://<nsxmgr-ip>/api/2.0/nwfabric/configure
RequestBody
SeeExample 51.
76
VMware, Inc.
Chapter 5 Installing NSX Components
Delete Network Virtualization Components

Removepreviouslyinstalledvibs,tearsdownNSXmanagertoESXmessaging,andremoveanyothernetwork
fabricdependentfeatureslikelogicalwiresetc.Ifafeaturelikelogicalwireisbeingusedinyourenvironment,
thiscallfails.
Example 5-3. Delete network virtualization
Request
DELETE https://<nsxmgr-ip>/api/2.0/nwfabric/configure
Working with VXLAN for Logical Switches

Configuring logical switches is a multi-step process. You must follow these steps in order to complete logical switch
configuration. In lieu of multicast routing on the physical fabric, you can add NSX controllers in your environment. You
can later associate one of these traffic forwarding mechanisms with a transport zone.
Prerequisites
YoumusthavetheSuperAdministratororEnterpriseAdministratorrolepermissionstoconfigureand
managelogicalswitches.
Installnetworkvirtualizationcomponentsontheclustersthataretobepartofthelogicalswitch.See
InstallNetworkVirtualizationComponentsonpage 76.
Ensurethatyouhavethefollowingsoftwareversions.
VMwarevCenterServer5.5orlater
VMwareESX5.1orlateroneachserver
vSphereDistributedSwitch5.1orlater
PhysicalinfrastructureMTUmustbeatleast50bytesmorethantheMTUofthevirtualmachinevNIC.
SetManagedIPaddressforeachvCenterserverinthevCenterServerRuntimeSettings.Formore
information,seevCenterServerandHostManagement.
IfusingDHCPforIPassignmentforVMKNics,verifythatDHCPisavailableonVXLANtransport
VLANs.
IfusinganIPpoolforstaticIPassignment,selectingagatewayotherthanthedefaultgatewayoftheESX
managementnetworkleveragesadedicatedTCPstack(appliestoVMwareESXi5.5orlater).
ForLinkAggregationControlProtocol(LACP),itisrecommendedhatyouenable5tuplehash
distribution.
Youmustuseaconsistentdistributedvirtualswitchtype(vendoretc.)andversionacrossagivennetwork
scope.Inconsistentswitchtypescanleadtoundefinedbehaviorinyourlogicalswitch.
Thecontrolplanethatmanageslogicalnetworksandoverlaytransportcanbesetasoneofthefollowing:
VMware, Inc.
Multicast:MulticastIPaddressesonphysicalnetworkisusedforthecontrolplane.Thismodeis
recommendedonlywhenyouareupgradingfromolderVXLANdeployments.Requires
PIM/IGMPonphysicalnetwork.
Unicast :ThecontrolplaneishandledbyanNSXcontroller.Alltrafficreplicationishandled
locallybythehypervisor.NomulticastIPaddressesorspecialnetworkconfigurationis
required.
Hybrid :Theoptimizedunicastmode.Offloadslocaltrafficreplicationtophysicalnetwork.This
requiresIGMPsnoopingonthefirsthopswitch,butdoesnotrequirePIM.Firsthopswitch
handlestrafficreplicationforthesubnet.
77
Working with Controllers

For the unicast or hybrid control plane mode, you must add an NSX controller to manage overlay transport and provide
East-West routing. The controller optimizes virtual machine broadcast (ARP only) traffic, and the learning is stored on
the host and the controller.
Add Controller
AddsanewNSXcontrolleronthespecifiedgivencluster.ThehostIdparameterisoptional.The
resourcePoolIdcanbeeithertheclusterIdorresourcePoolId.
TheIPaddressofthecontrollernodewillbeallocatedfromthespecifiedIPpool.deployTypedeterminesthe
controllernodememorysizeandcanbesmall,medium,orlarge.
Example 5-4. Add controller
Request
POST https://<nsxmgr-ip>/api/2.0/vdn/controller
RequestBody:
<controllerSpec>
<name>nsx-controller-node1</name>
<description>nsx-controller</description>
<ipPoolId>ipPool-1</ipPoolId>
<resourcePoolId>domain-c1</resourcePoolId>
<hostId>host-1</hostId>
<datastoreId>datastore-1</datastoreId>
<deployType>medium</deployType>
<networkId>dvportgroup-1</networkId>
<password>MyTestPassword</password>
</controllerSpec>
Query Controllers
Retrievesdetailsandruntimestatusforcontroller.Runtimestatuscanbeoneofthefollowing:
Deployingcontrollerisbeingdeployedandtheprocedurehasnotcompletedyet.
Removingcontrollerisbeingremovedandtheprocedurehasnotcompletedyet.
RunningcontrollerhasbeendeployedandcanrespondtoAPIinvocation.
UnknowncontrollerhasbeendeployedbutfailstorespondtoAPIinvocation.
Example 5-5. Query controllers

Request
GET https://<nsxmgr-ip>/api/2.0/vdn/controller
ResponseBody:
<controllers>
<controller>
<id>controller-...</id>
<name>controllerA</name>
<description>nvp-controller</description>
<status>RUNNING</status>
</controller>
...
</controllers>
78
VMware, Inc.
Query Controller Addition or Deletion Details

Retrievesstatusofcontrollercreationorremoval.Theprogressgivesapercentageindicationofcurrentdeploy
/removeprocedure.
Example 5-6. Query controller addition or deletion details
Request
GET https://<nsxmgr-ip>/api/2.0/vdn/controller/progress/<job_id>
ResponseBody:
<controllerDeploymentInfo>
<vmId>vm-1</vmId>
<progress>90</progress>
<status>PushingFile</status>
<exceptionMessage></exceptionMessage>
</controllerDeploymentInfo>
Query Controller Tech Support Logs

Retrievescontrollerlogs.Responsecontenttypeisapplication/octetstreamandresponseheaderisfilename.
Thisstreamsafairlylargebundleback(possiblyhundredsofMB).
Example 5-7. Query controller logs
Request
GET https://<nsxmgr-ip>/api/2.0/vdn/controller/{controllerId}/techsupportlogs
Delete Controller
DeletesNSXcontroller.Whendeletingthelastcontrollerfromacluster,theparameterforceRemovalForLast
mustbesettotrue.
Example 5-8. Delete controller
Request
DELETE https://<nsxmgr-ip>/api/2.0/vdn/controller/<controller-id>? forceRemoval=<true/false>
Query Cluster Information

Retrievesclusterwiseconfigurationinformationforcontroller.
Example 5-9. Query cluster details
Request
GET https://<nsxmgr-ip>/api/2.0/vdn/controller/cluster
ResponseBody:
<controllerConfig>
<sslEnabled>true</sslEnabled>
</controllerConfig>
Modify Cluster Configuration

Modifiesclusterwiseconfigurationinformationforcontroller.
VMware, Inc.
79
Example 5-10. Modify cluster configuration

Request
PUT https://<nsxmgr-ip>/api/2.0/vdn/controller/cluster
RequestBody:
<controllerConfig>
<sslEnabled>true</sslEnabled>
</controllerConfig>
Add Controller Syslog Exporter

Configuresasyslogexporteronthespecifiedcontrollernode.
Example 5-11. Query controller syslog exporter
Request
POST https://<nsxmgr-ip>/api/2.0/vdn/controller/{controller-id}/syslog
RequestBody:
<controllerSyslogServer>
<syslogServer>10.135.14.236</syslogServer>
<port>514</port>
<protocol>UDP</protocol>
<level>INFO</level>
</controllerSyslogServer>
Query Controller Syslog Exporter

Retrievesdetailsabouttheconfiguredsyslogexporteronthespecifiedcontrollernode.
Example 5-12. Query controller syslog exporter
Request
GET https://<nsxmgr-ip>/api/2.0/vdn/controller/{controller-id}/syslog
ResponseBody:
<controllerSyslogServer>
<syslogServer>10.135.14.236</syslogServer>
<port>514</port>
<protocol>UDP</protocol>
<level>INFO</level>
</controllerSyslogServer>
Delete Controller Syslog Exporter

Deletessyslogexporteronthespecifiedcontrollernode.
Example 5-13. Delete controller syslog exporter
Request
DELETE https://<nsxmgr-ip>/api/2.0/vdn/controller/{controller-id}/syslog
80
VMware, Inc.
Backup Controller Data

Takesasnapshotofthecontrolclusterfromthespecifiedcontrollernodet.
Example 5-14. Backup controller data
Request:
GET
https://NSXManagerIPAddress/api/2.0/vdn/controller/controllerID/snapshot
ToretrievethecontrollerIDs,logintothevSphereWebClient.NavigatetoNetworking&Security>
Installation.TheNSXControllerNodestableliststhecontrollerIDs(Namecolumn)andIPaddresses(Node
column)ofeachcontroller.
TheoutputoftheGETcallisanoctetstreamcontainingthecontrollersnapshot.Examplecalltodownloadthe
snapshotisasfollows.
curl -u admin:default -H "Accept: application/octet-stream" -X GET -k

https://NSXManagerIPAddress/api/2.0/vdn/controller/controllerID/snapshot
> controller_backup.snapshot
Working with Segment IDs

YoumustspecifyasegmentIDpoolforeachNSXManagertoisolateyournetworktraffic.IfanNSXcontroller
isnotdeployedinyourenvironment,youmustaddamulticastaddressrangetohelpinspreadingtraffic
acrossyournetworkandavoidoverloadingasinglemulticastaddress.
Add a new Segment ID Range

YoucanaddasegmentIDrange,fromwhichanIDisautomaticallyassignedtothelogicalswitch.
Example 5-15. Add a segment ID range
Request:
POST https://<vsm-ip>/api/2.0/vdn/config/segments
RequestBody:
<segmentRanges>
<segmentRange>
<id>1</id>
<name>name</name>
<desc>desc</desc>
<begin>1000</begin>
<end>1500</end>
</segmentRange>
<segmentRange>
....
</segmentRange>
....
</segmentRanges>
ThesegmentrangeisinclusivethebeginningandendingIDsareincluded.
Query all Segment ID Ranges

YoucanretrieveallsegmentIDranges.
VMware, Inc.
81
Example 5-16. Get all Segment ID Ranges

Request:
GET https://<vsm-ip>/api/2.0/vdn/config/segments
ResponseBody:
<segmentRanges>
<segmentRange>
<id>1</id>
<name>name</name>
<desc>desc</desc>
<begin>5000</begin>
<end>9000</end>
</segmentRange>
<segmentRange>
....
</segmentRange>
</segmentRanges>
Query a Specific Segment ID Range

YoucanretrieveasegmentIDrangebyspecifyingthesegmentID.
Example 5-17. Get a specific Segment ID Range
Request:
GET https://<vsm-ip>/api/2.0/vdn/config/segments/SegmentID
ResponseBody:
<segmentRange>
<id>1</id>
<name>name</name>
<desc>desc</desc>
<begin>10000</begin>
<end>11000</end>
</segmentRange>
Update a Segment ID Range

Youcanupdatethename,description,orendofasegmentIDrange.
Example 5-18. Update a Segment ID Range
Request:
PUT https://<vsm-ip>/api/2.0/vdn/config/segments/SegmentID
Request Body:
<segmentRange>
<end>3000</end>
<name>name</name>
<desc>desc</desc>
</segmentRang>
Delete a Segment ID Range

YoucandeleteasegmentIDrange.
Example 5-19. Delete a Segment ID Range
Request:
82
VMware, Inc.
DELETE https://<vsm-ip>/api/2.0/vdn/config/segments/SegmentID
Configure VXLAN
Example 5-20. Install VXLAN
Request
RequestBody:
<featureId>com.vmware.vshield.vsm.vxlan</featureId>
<resourceConfig>
<configSpec class="clusterMappingSpec">
<switch><objectId>{DVS MOID}</objectId></switch>
<vlanId>0</vlanId>
<vmknicCount>1</vmknicCount>

<ipPoolId>{IPADDRESSPOOL ID}</ipPoolId>
</configSpec>
</resourceConfig>
<resourceConfig>
<resourceId>{DVS MOID}</resourceId>
<configSpec class="vdsContext">
<mtu>1600</mtu>

<teaming>ETHER_CHANNEL</teaming>
</configSpec>
</resourceConfig>
Install VXLAN
Example 5-21. Install VXLAN with LACPv2
Request
RequestBody:
<featureId>com.vmware.vshield.nsxmgr.vxlan</featureId>
<resourceConfig>
<configSpec class="clusterMappingSpec">
<vlanId>0</vlanId>
<vmknicCount>1</vmknicCount>
</configSpec>
</resourceConfig>
<resourceConfig>
<resourceId>{DVS MOID}</resourceId>
<configSpec class="vdsContext">
<mtu>1600</mtu>
<teaming>LACP_V2</teaming>

<uplinkPortName>{LAG NAME}</uplinkPortName>
VMware, Inc.
83
</configSpec>
</resourceConfig>
Delete VXLAN
DeletesVXLANfromthespecifiedcluster.Thisdoesnotdeletethenetworkvirtualizationcomponentsfrom
thecluster.
Example 5-22. Delete VXLAN
Request
Delete VXLAN with vdsContext

DeletesVXLANfromthespecifiedclusterandalsoremovesthevdsContext.
Example 5-23. Delete VXLAN
Request
Working with Network Scopes

Anetworkscopeisthenetworkinginfrastructurewithinprovidervirtualdatacenters.
Create a Network Scope

Youmustspecifytheclustersthataretobepartofthenetworkscope.YoumusthavetheVLANID,UUIDof
thevCenterServer,andvDSID.
Example 5-24. Create a network scope
Request:
POST https://<vsm-ip>/api/2.0/vdn/scopes
RequestBody:
<vdnScope>
<clusters>
<cluster><cluster><objectId>domain-c59</objectId></cluster></cluster>
</clusters>
</vdnScope>
Edit a Network Scope

Youcanaddaclustertoordeleteaclusterfromanetworkscope.
Request:
POST https://<vsm-ip>/api/2.0/vdn/scopes/scopeID?action=patch
RequestBody:
<vdnScope>
<objectId>{id}</objectId>
84
VMware, Inc.
<clusters>
</clusters>
</vdnScope>
Update Attributes on a Network Scope

Youcanupdatetheattributesofanetworkscope.
Example 5-26. Update attributes of a network scope
Request:
PUT https://<vsm-ip>/api/2.0/vdn/scopes/scopeID/attributes
RequestBody:
<vdnScope>
<objectId>vdnScope-1</objectId>
<name>new name</name>
<description>new description</description>
</vdnScope>
Query existing Network Scopes

Youcanretrieveallexistingnetworkscopes.
Example 5-27. Get all network scopes
Request:
GET https://<vsm-ip>/api/2.0/vdn/scopes
ResponseBody:
<vdnScopes>
<vdnScope>
<objectId>vdnscope-2</objectId>
<type><typeName>VdnScope</typeName></type>
<name>My Name</name>
<description>My Description</description>
<objectTypeName>VdnScope</objectTypeName>
<id>vdnscope-2</id>
<clusters>
<cluster>
<cluster>
<objectId>domain-c124</objectId>
<type><typeName>ClusterComputeResource</typeName></type>
<name>vxlan-cluster</name>
<scope><id>datacenter-2</id><objectTypeName>Datacenter</objectTypeName><name>dc1</name></scope>
</cluster>
</cluster>
...
</clusters>
<virtualWireCount>10</virtualWireCount>
</vdnScope>
...
<vdnScope>...</vdnScope>
...
</vdnScopes>
VMware, Inc.
85
Query a Specific Network Scope

Youcanretrieveaspecificnetworkscope.
Example 5-28. Get a network scope
Request:
GET https://<vsm-ip>/api/2.0/vdn/scopes/scopeID
ResponseBody:
<vdnScope>
<description>My description</description>
<id>vdnscope-2</id>
<clusters>
<cluster>
<cluster>
</cluster>
</cluster>
...
</clusters>
</vdnScope>
Delete a Network Scope

Youcandeleteanetworkscope.
Example 5-29. Delete network scope
Request:
DELETE https://<vsm-ip>/api/2.0/vdn/scopes/scopeID
Reset Communication
ResetscommunicationbetweenNSXManagerandahostorcluster.
Example 5-30. Reset communication
Request
POST https://<nsxmgr-ip>/api/2.0/nwfabric/configure?action=synchronize
Query Features on Cluster

Retrievesallfeaturesavailableonthecluster.
Example 5-31. Query features
Request
86
VMware, Inc.
POST https://<nsxmgr-ip>/api/2.0/nwfabric/features
ResponseBody:
<featureInfos>

<featureInfo>
<name>{FEATURE NAME}</name>
<featureId>{FEATURE ID}</featureId>
<version>{FEATURE VERSION}</version>
</featureInfo>
<featureInfos>
Query Status of Specific Resources

Example 5-32. Query status
Request
GET https://<nsxmgr-ip>/api/2.0/nwfabric/status?resource=<RESOURCE ID>
ResponseBody:
<resourceStatuses>
<resourceStatus>
<resource>
<objectId>{resource id}</objectId>
<objectTypeName>ClusterComputeResource</objectTypeName>
<nsxmgrUuid>jfldj</nsxmgrUuid>
<type>
<typeName>ClusterComputeResource</typeName>
</type>
<name>c-1</name>
<scope>
<name>dc-1</name>
</scope>
<clientHandle>
</clientHandle>
</resource>
<nwFabricFeatureStatus>
<featureId>com.vmware.vshield.nsxmgr.nwfabric.hostPrep</featureId>
<featureVersion>5.5</featureVersion>
<updateAvailable>false</updateAvailable>
<status>RED</status>
<message>
</message>
<installed>true</installed>
</nwFabricFeatureStatus>
<status>UNKNOWN</status>
<installed>false</installed>
<featureId>com.vmware.vshield.nsxmgr.messagingInfra</featureId>
VMware, Inc.
87
<featureId>com.vmware.vshield.firewall</featureId>
</resourceStatus>
</resourceStatuses>
Query Status of Child Resources

Request
GET https://<nsxmgr-ip>/api/2.0/nwfabric/status/child/<PARENT RESOURCE ID>
ResponseBody:
<resourceStatuses>
<resourceStatus>
<resource>
<objectId>host-9</objectId>
<objectTypeName>HostSystem</objectTypeName>
<type>
<typeName>HostSystem</typeName>
</type>
<name>10.135.14.186</name>
<scope>
<id>domain-c34</id>
<name>c-1</name>
</scope>
<clientHandle>
</clientHandle>
</resource>
<message>
</message>
88
VMware, Inc.
</resourceStatus>
</resourceStatuses>
Query Status of Resources by Criterion

Request
GET https://<nsxmgr-ip>/api/2.0/nwfabric/status/alleligible/<RESOURCE TYPE>
ResponseBody:
<resourceStatuses>
<resourceStatus>
<resource>
<type>
</type>
<name>c-1</name>
<scope>
<name>dc-1</name>
</scope>
<clientHandle>
</clientHandle>
</resource>
<message>
</message>
VMware, Inc.
89
</resourceStatus>
<resourceStatus>
<resource>
<type>
</type>
<name>c-2</name>
<scope>
<name>dc-2</name>
</scope>
<clientHandle>
</clientHandle>
</resource>
</resourceStatus>
</resourceStatuses>
Working with Services

Thesecurityfabricsimplifiesandautomatesdeploymentofsecurityservicesandprovideaplatformfor
configurationoftheelementsthatarerequiredtoprovidesecuritytoworkloads.Theseelementsinclude:
90
Internalcomponents:
USVM
EndpointMux
DataSecurity
LogicalFirewall
Externalcomponents
VMware, Inc.
PartnerOVFs/Vibs
Partnervendorpolicytemplates
Forpartnerservices,theoverallworkflowbeginswithregistrationofservicesbypartnerconsoles,followed
bydeploymentoftheservicesbytheadministrator.
Subsequentworkflowisasfollows:
1
Selecttheclustersonwhichtodeploythesecurityfabric(Mux,Trafficfilter,USVM).
SpecifyanIPpooltobeusedwiththeSVMs(availableonlyifthepartnerregistrationindicates
requirementofstaticIPs)
Selectportgroup(DVPG)tobeusedforeachcluster(adefaultisprepopulatedfortheuser).
Selectdatastoretobeusedforeachcluster(adefaultisprepopulatedfortheuser).
NSXManagerdeploysthecomponentsonallhostsoftheselectedclusters.
Onceyoudeploythesecurityfabric,anagencydefinestheconfigurationneededtodeployagents(host
componentsandappliances).Anagencyiscreatedperclusterperdeploymentspecassociatedwithservices.
Agentsaredeployedontheselectedclusters,andevents/hooksforalltherelevantactionsaregenerated.
Install Security Fabric

Example 5-35. Install service
Request
POST https://<nsxmgr-ip>/api/2.0/si/deploy?startTime=<time>
RequestBody
<clusterDeploymentConfigs>
<clusterDeploymentConfig>
<clusterId>cluster-id</clusterId>
<datastore>ds-id</datastore> 
<services>
<serviceDeploymentConfig>
<serviceId>service-id</serviceId>
<dvPortGroup>dvpg-id</dvPortGroup>
<ipPool>ipPool</ipPool>
</serviceDeploymentConfig>
</services>
</clusterDeploymentConfig>
</clusterDeploymentConfigs>
where:
dataStoreNeedstobespecifiedonlyinPOSTcall.InPUTcall,itshouldbeleftemptyotherwisethecall
willfail.
dvPortGroupThisisoptional.Ifnotspecified,thenuserwillsettheAgentusingvCenterServer.
ipPoolThisisoptional.ifnotspecified,IPaddressisassignedthroughDHCP.
startTimeTimewhenthedeploymenttask(s)arescheduledfor.Ifthisisnotspecifiedthendeployment
willhappenimmediately.
Service Dependency
Servicesinstalledthroughthesecurityfabricmaybedependentonotherservices.Whenaninternalserviceis
registered,adependencyMap is maintained with the service-id and implementation type of the internal service.
VMware, Inc.
91
When partner registers a new service, the security fabric looks up its implementation type in the dependencyMap to
identify the service it depends on, if any. Accordingly, a new field in Service object called dependsOn-service-id is
populated.
Deploying a Service with a Dependency

Example 5-36. Deploy service
Request
POST https://<nsxmgr-ip>/api/2.0/si/deploy
Identify Service Dependency

Liststheserviceonwhichthespecifiedservicedependson.
Example 5-37. Identify service dependency
Request
GET https://<nsxmgr-ip>/api/2.0/si/deploy/service/<service-id>/dependsOn
Uninstall Service Dependency

Liststheserviceonwhichthespecifiedservicedependson.
Example 5-38. Uninstall service dependency
Request
DELETE https://<nsxmgr-ip>/api/2.0/si/deploy/clutser/<cluster-id>
Ifyoutrytoremoveaserviceonwhichaservicedependsonanditisalreadyinstalled,theuninstallationfails.
Inordertouninstallservicesinanyorder,setparameterignoreDependencytrue.
Query Installed Services

Retrievesallservicescurrentlydeployedontheclusteralongwiththeirstatus.
Example 5-39. Query services
Request
GET https://<nsxmgr-ip>/api/2.0/si/deploy/cluster/<cluster-id>
ResponseBody
<deployedServices>
<deployedService>
<deploymentUnitId>deploymentunit-1</deploymentUnitId>
<serviceId>service-3</serviceId>
<cluster>
<nsxmgrUuid>42036483-6CF3-4F0F-B356-2EB1E6369C6F</nsxmgrUuid>
<type>
</type>
<name>Cluster-1</name>
<scope>
92
VMware, Inc.
<name>nasingh-dc</name>
</scope>
</cluster>
<serviceName>domain-c41_service-3</serviceName>
<datastore>
<objectId>datastore-29</objectId>
<objectTypeName>Datastore</objectTypeName>
<type>
<typeName>Datastore</typeName>
</type>
<name>datastore1</name>
</datastore>
<dvPortGroup>
<objectId>dvportgroup-45</objectId>
<objectTypeName>DistributedVirtualPortgroup</objectTypeName>
<type>
<typeName>DistributedVirtualPortgroup</typeName>
</type>
<name>dvPortGroup</name>
<scope>
<name>nasingh-dc</name>
</scope>
</dvPortGroup>
<serviceStatus>SUCCEEDED</serviceStatus>
</deployedService>
</deployedServices>
Query Details about a Service

Retrievesdetailedinformationabouttheservice.
Example 5-40. Query service
Request
GET https://<nsxmgr-ip>/api/2.0/si/deploy/cluster/<cluster-id>/service/<service-id>
ResponseBody
SeeExample 539.
Query Clusters
Retrievesallclustersonwhichthespecifiedserviceisinstalled.
Example 5-41. Query clusters
Request
GET https://<nsxmgr-ip>/api/2.0/si/deploy/service/<service-id>
ResponseBody
VMware, Inc.
93
SeeExample 539.
Upgrade Service
Upgradesservicetorecentversion.
Example 5-42. Query clusters
Request
PUT https://<nsxmgr-ip>/api/2.0/si/deploy/?startTime=<time>
RequestBody
<clusterDeploymentConfigs>
<clusterDeploymentConfig>
<clusterId>{clusterId}</clusterId>
<datastore>{datastoreId}</datastore>
<services>
<serviceDeploymentConfig>
<serviceId>{serviceId}</serviceId>
<serviceInstanceId>{serviceInstanceId}</serviceInstanceId>
<dvPortGroup>{dvpg ID}</dvPortGroup>
<ipPool>{ipPoolId}</ipPool>
</serviceDeploymentConfig>
</services>
</clusterDeploymentConfig>
</clusterDeploymentConfigs>
Thedatastore,dvPortGroup,andipPoolvariablesshouldeithernotbespecifiedorhavesamevalueas
providedattimeofdeployment.
Query Agents on Host

Retrievesallagentsonthespecifiedhost.TheresponsebodycontainsagentIDsforeachagent,whichyoucan
usetoretrievedetailsaboutthatagent.
Example 5-43. Query agents on host
Request
GET https://<nsxmgr-ip>/api/2.0/si/host/<host-id>/agents
ResponseBody
<fabricAgents>
<agent>
<agentId>nsxmgragent-1</agentId>
<agentName>agent name if present</agentName>
<serviceName>EndpointService</serviceName>
<operationalStatus>ENABLED</operationalStatus>
<progressStatus>IN_PROGRESS</progressStatus>
<vmId>vm-92</vmId>
<host>host-10</host>
<id>2</id>
<dnsSuffix>
</dnsSuffix>
94
VMware, Inc.
<serviceStatus>
<status>WARNING</status>
<errorId>partner_error</errorId>
<errorDescription>partner_error</errorDescription>
</serviceStatus>
<hostInfo>
<nsxmgrUuid>420369CD-2311-F1F7-D4AA-1158EA688E54</nsxmgrUuid>
<type>
</type>
<name>10.112.5.173</name>
<scope>
<id>domain-c7</id>
<name>Kaustubh-CL</name>
</scope>
<clientHandle>
</clientHandle>
</hostInfo>
<initialData>partner data if present</initialData>
</agent>
</fabricAgents>
Query Agent Information

Retrievesagent(agents(hostcomponentsandappliances))details.
Example 5-44. Query agent details
Request
GET https://<nsxmgr-ip>/api/2.0/si/agent/<agent-id>
ResponseBody
<agent>
<vmId>vm-92</vmId>
<id>2</id>
<dnsSuffix>
</dnsSuffix>
<serviceStatus>
</serviceStatus>
<hostInfo>
VMware, Inc.
95
<type>
</type>
<name>10.112.5.173</name>
<scope>
<id>domain-c7</id>
</scope>
<clientHandle>
</clientHandle>
</hostInfo>
</agent>
Query Agents for Deployment

Retrievesallagentsforthespecifieddeployment.
Example 5-45. Query agents for deployment
Request
GET https://<nsxmgr-ip>/api/2.0/si/deployment/<deploymentunit-id>/agents
ResponseBody
<fabricAgents>
<agent>
<vmId>vm-92</vmId>
<id>2</id>
<dnsSuffix>
</dnsSuffix>
<serviceStatus>
</serviceStatus>
<hostInfo>
<type>
</type>
<name>10.112.5.173</name>
96
VMware, Inc.
<scope>
<id>domain-c7</id>
</scope>
<clientHandle>
</clientHandle>
</hostInfo>
</agent>
</fabricAgents>
Working with Conflicting Agencies

WhentheNSXManagerdatabasebackupisrestoredtoanolderpointintime,itispossiblethatdeployment
unitsforsomeEAMAgenciesaremissing.TheseAPIshelptheadministratoridentifysuchEAMAgenciesand
takeappropriateaction.
Query Conflicts
RetrievesconflictingDeploymentUnitsandEAMAgencies,ifany,andtheallowedoperationsonthem.
Example 5-46. Query conflicts
Request
GET https://<nsxmgr-ip>/api/2.0/si//fabric/sync/conflicts
ResponseBody
<fabricSyncConflictInfo>
<fabricSyncConflictInfo>
<conflictExist>true</conflictExist>
<agencies>
<agenciesInfo>
<agencyConflictInfo>
<agencyId>agency-150</agencyId>
<agencyName>_VCNS_264_nasingh-cluster1_VMware Endpoint</agencyName>
</agencyConflictInfo>
</agenciesInfo>
<allowedOperations>
<conflictResolverOperation>DELETE</conflictResolverOperation>
<conflictResolverOperation>RESTORE</conflictResolverOperation>
</allowedOperations>
</agencies>
</fabricSyncConflictInfo>
Restore Conflicting Agencies

CreatesDeploymentUnitsforconflictingEAMAgencies.
Request
PUT https://<nsxmgr-ip>/api/2.0/si/fabric/sync/conflicts
RequestBody
<conflictResolverInfo>
<agencyAction>RESTORE</agencyAction>
VMware, Inc.
97
</conflictResolverInfo>
Delete Conflicting Agencies

DeletesconflictingEAMAgencies.
Example 5-48. Delete conflicts
Request
RequestBody
<agencyAction>DELETE</agencyAction>
Delete Deployment Units

DeletesDeploymentUnitsforconflictingEAMAgencies.
Request
RequestBody
<deploymentUnitAction>DELETE</deploymentUnitAction>
Uninstalling Services
Uninstallsthespecifiedservicesfromthespecifiedlusters.
Example 5-50. Uninstall services from a cluster
Request:
DELETE https://<vsm-ip>/api/2.0/si/deploy/cluster/<cluster-id>?services=service-id1,service-id2&startTime=<time>
where:
serviceslistofserviceidsthatneedstobeuninstalledfromthecluster.Ifthisisnotspecifiedthenallthe
serviceswillbeuninstalled.
startTimetimewhentheuninstallwillbescheduledfor.Ifthisisnotspecifiedthenuninstallwillhappen
immediately.
Example 5-51. Uninstall specified service from specified clusters

Request:
DELETE
https://<vsm-ip>/api/2.0/si/deploy/service/<service-id>?clusters=cluster-id1,clus
ter-id2&startTime=<time>
where:
98
VMware, Inc.
clusterslistofclusteridsthatserviceneedstobeuninstalledfrom.
startTimetimewhentheuninstallwillbescheduledfor.Ifthisisnotspecifiedthenuninstallwillhappen
immediately.
VMware, Inc.
99
100
VMware, Inc.
Working with Logical Switches
Aclouddeploymentoravirtualdatacenterhasavarietyofapplicationsacrossmultipletenants.These
applicationsandtenantsrequireisolationfromeachotherforsecurity,faultisolation,andavoiding
overlappingIPaddressingissues.TheNSXlogicalswitchcreateslogicalbroadcastdomainsorsegmentsto
whichanapplicationortenantvirtualmachinecanbelogicallywired.Thisallowsforflexibilityandspeedof
deploymentwhilestillprovidingallthecharacteristicsofaphysicalnetworksbroadcastdomains(VLANs)
withoutphysicalLayer2sprawlorspanningtreeissues.
Alogicalswitchisdistributedandcanspanarbitrarilylargecomputeclusters.Thisallowsforvirtualmachine
mobility(vMotion)withinthedatacenterwithoutlimitationsofthephysicalLayer2(VLAN)boundary.The
physicalinfrastructuredoesnothavetodealwithMAC/FIBtablelimitssincethelogicalswitchcontainsthe
broadcastdomaininsoftware.
AlogicalswitchismappedtoauniqueVXLAN,whichencapsulatesthevirtualmachinetrafficandcarriesit
overthephysicalIPnetwork.
TheNSXcontrolleristhecentralcontrolpointforalllogicalswitcheswithinanetworkandmaintains
informationofallvirtualmachines,hosts,logicalswitches,andVXLANs.Thecontrollersupportstwonew
logicalswitchcontrolplanemodes,UnicastandHybrid,ThesemodesdecoupleNSXfromthephysical
network.VXLANsnolongerrequirethephysicalnetworktosupportmulticastinordertohandlethe
Broadcast,Unknownunicast,andMulticast(BUM)trafficwithinalogicalswitch.Theunicastmodereplicates
alltheBUMtrafficlocallyonthehostandrequiresnophysicalnetworkconfiguration.Inthehybridmode,
someoftheBUMtrafficreplicationisoffloadedtothefirsthopphysicalswitchtoachievebetterperformance.
ThismoderequiresIGMPsnoopingtobeturnedonthefirsthopphysicalswitch.Virtualmachineswithina
logicalswitchcanuseandsendanytypeoftrafficincludingIPv6andmulticast.
YoumustbeaSecurity Administrator in order to create VXLAN networks.
PreparingforLogicalSwitchesonpage 102
ConfiguringSwitchesonpage 102
WorkingwithSegmentIDsonpage 104
WorkingwithMulticastAddressRangesonpage 105
WorkingwithNetworkScopesonpage 107
WorkingwithVirtualizedNetworksonpage 109
ManagingtheVXLANVirtualWireUDPPortonpage 112
QueryingAllocatedResourcesonpage 112
TestingMulticastGroupConnectivityonpage 113
VMware, Inc.
101
PerformingPingTestonpage 114
Preparing for Logical Switches

Beforecreatingalogicalswitch,ensurethat:
you have installed the network virtualization components on the appropriate clusters
you have configured VXLAN on the appropriate clusters
Configuring Switches
YoumustprepareeachvDSbyspecifyingtheVLANforyourL2domainandtheMTUforeachvDS.
Prepare Switch
TheMTUisthemaximumamountofdatathatcanbetransmittedinonepacketbeforeitisdividedinto
smallerpackets.Theframesareslightlylargerinsizebecauseofthetrafficencapsulation,sotheMTUrequired
ishigherthanthestandardMTU.YoumustsettheMTUforeachswitchto1600orhigher.
Example 6-1. Prepare switch
Request:
POST https://<vsm-ip>/api/2.0/vdn/switches
RequestBody:
<vdsContext>
<switch>
<objectId>dvs-26</objectId>
<type><typeName>DistributedVirtualSwitch</typeName></type>
<objectTypeName>DistributedVirtualSwitch</objectTypeName>
</switch>
<mtu>mtu-value</mtu>
</vdsContext>
Query Configured Switches

Youcanretrieveallconfiguredswitches.
Example 6-2. Get all configured switches
Request:
GET https://<vsm-ip>/api/2.0/vdn/switches
ResponseBody:
<vdsContexts>
<vdsContext>
<switch>
</switch>
<teaming>LACP_PASSIVE</teaming>
</vdsContext>
...
102
VMware, Inc.
Chapter 6 Working with Logical Switches
<vdsContext>...</vdsContext>
...
</vdsContexts>
Query Configured Switches on Datacenter

Youcanretrieveallconfiguredswitchesonadatacenter.
Example 6-3. Get configured switches on a datacenter
Request:
GET https://<vsm-ip>/api/2.0/vdn/switches/datacenter/datacenterID
ResponseBody:
<vdsContexts>
<vdsContext>
<switch>
</switch>
</vdsContext>
...
<vdsContext>...</vdsContext>
...
</vdsContexts>
Query Specific Switch

YoucanretrieveaspecificswitchbyspecifyingitsID.
Example 6-4. Get specific switch
Request:
GET https://<vsm-ip>/api/2.0/vdn/switches/switchID
ResponseBody:
<vdsContext>
<switch>
</switch>
</vdsContext>
Delete Switch
Youcandeleteaswitch.
VMware, Inc.
103
Example 6-5. Delete switch

Request:
DELETE https://<vsm-ip>/api/2.0/vdn/switches/switchID
Working with Segment IDs

YoucanspecifyasegmentIDpooltoisolateyournetworktraffic.
Add a new Segment ID Range

YoucanaddasegmentIDrange,fromwhichanIDisautomaticallyassignedtotheVXLANvirtualwire.
Example 6-6. Add a segment ID range
Request:
POST https://<vsm-ip>/api/2.0/vdn/config/segments
RequestBody:
<segmentRanges>
<segmentRange>
<id>1</id>
<name>name</name>
<desc>desc</desc>
<begin>1000</begin>
<end>1500</end>
</segmentRange>
<segmentRange>
....
</segmentRange>
....
</segmentRanges>
ThesegmentrangeisinclusivethebeginningandendingIDsareincluded.
Query all Segment ID Ranges

YoucanretrieveallsegmentIDranges.
Example 6-7. Get all Segment ID Ranges
Request:
GET https://<vsm-ip>/api/2.0/vdn/config/segments
ResponseBody:
<segmentRanges>
<segmentRange>
<id>1</id>
<name>name</name>
<desc>desc</desc>
<begin>5000</begin>
<end>9000</end>
</segmentRange>
<segmentRange>
....
</segmentRange>
</segmentRanges>
104
VMware, Inc.
Query a Specific Segment ID Range

YoucanretrieveasegmentIDrangebyspecifyingthesegmentID.
Example 6-8. Get a specific Segment ID Range
Request:
GET https://<vsm-ip>/api/2.0/vdn/config/segments/SegmentID
ResponseBody:
<segmentRange>
<id>1</id>
<name>name</name>
<desc>desc</desc>
<begin>10000</begin>
<end>11000</end>
</segmentRange>
Update a Segment ID Range

Youcanupdatethename,description,orendofasegmentIDrange.
Example 6-9. Update a Segment ID Range
Request:
PUT https://<vsm-ip>/api/2.0/vdn/config/segments/SegmentID
Request Body:
<segmentRange>
<end>3000</end>
<name>name</name>
<desc>desc</desc>
</segmentRang>
Delete a Segment ID Range

YoucandeleteasegmentIDrange.
Example 6-10. Delete a Segment ID Range
Request:
DELETE https://<vsm-ip>/api/2.0/vdn/config/segments/SegmentID
Working with Multicast Address Ranges

Specifyingamulticastaddressrangehelpsinspreadingtrafficacrossyournetworktoavoidoverloadinga
singlemulticastaddress.AvirtualizednetworkreadyhostisassignedanIPaddressfromthisrange.
Add a new Multicast Address Range

Youcanaddanewmulticastaddressrange.
Example 6-11. Add a multicast address range
Request:
POST https://<vsm-ip>/api/2.0/vdn/config/multicasts
RequestBody:
VMware, Inc.
105
<multicastRanges>
<multicastRange>
<id>1</id>
<name>name</name>
<desc>desc</desc>
<begin>239.1.1.1</begin>
<end>239.3.3.3</end>
</multicastRange>
<multicastRange>
....
</multicastRange>
....
</multicastRanges>
Theaddressrangeisinclusivethebeginningandendingaddressesareincluded.
Query all Multicast Address Ranges

Youcanretrieveallmulticastaddressranges.
Example 6-12. Get all multicast ranges
Request:
GET https://<vsm-ip>/api/2.0/vdn/config/multicasts
ResponseBody:
<multicastRanges>
<multicastRange>
<id>1</id>
<name>name</name>
<desc>desc</desc>
<end>239.3.3.3</end>
</multicastRange>
<multicastRange>
...
</multicastRange>
...
</multicastRanges>
Get a Specific Multicast Address Range

Youcanretrieveaspecificmulticastaddressrange.
Example 6-13. Get a multicast range
Request:
GET https://<vsm-ip>/api/2.0/vdn/config/multicasts/multicastAddressRangeID
ResponseBody:
<multicastRange>
<id>1</id>
<name>name</name>
<desc>desc</desc>
<end>239.3.3.3</end>
</multicastRange>
106
VMware, Inc.
Update a Multicast Address Range

Youcanupdatethename,description,orendaddressofamulticastaddressrange.
Example 6-14. Update a multicast range
Request Header:
PUT https://<vsm-ip>/api/2.0/vdn/config/multicasts/multicastAddressRangeID
Request Body:
<<segmentRange>
<end>3000</end>
<name>name</name>
<desc>desc</desc>
</segmentRang>
Delete a Multicast Address Range

Youcandeleteamulticastaddressrange.
Example 6-15. Delete multicast address range
Request:
DELETE https://<vsm-ip>/api/2.0/vdn/config/multicasts/<multicasts/multicasts/
multicastAddressRangeID
Working with Network Scopes

Anetworkscopeisthenetworkinginfrastructurewithinprovidervirtualdatacenters.
Create a Network Scope

Youmustspecifytheclustersthataretobepartofthenetworkscope.YoumusthavetheVLANID,UUIDof
thevCenterServer,andvDSID.
Request:
POST https://<vsm-ip>/api/2.0/vdn/scopes
RequestBody:
<vdnScope>
<clusters>
</clusters>
</vdnScope>
Edit a Network Scope

Youcanaddaclustertoordeleteaclusterfromanetworkscope.
Request:
POST https://<vsm-ip>/api/2.0/vdn/scopes/scopeID?action=patch
RequestBody:
VMware, Inc.
107
<vdnScope>
<objectId>{id}</objectId>
<clusters>
</clusters>
</vdnScope>
Update Attributes on a Network Scope

Youcanupdatetheattributesofanetworkscope.
Example 6-18. Update attributes of a network scope
Request:
PUT https://<vsm-ip>/api/2.0/vdn/scopes/scopeID/attributes
RequestBody:
<vdnScope>
<objectId>vdnScope-1</objectId>
<name>new name</name>
<description>new description</description>
</vdnScope>
Query existing Network Scopes

Youcanretrieveallexistingnetworkscopes.
Example 6-19. Get all network scopes
Request:
GET https://<vsm-ip>/api/2.0/vdn/scopes
ResponseBody:
<vdnScopes>
<vdnScope>
<description>My Description</description>
<id>vdnscope-2</id>
<clusters>
<cluster>
<cluster>
</cluster>
</cluster>
...
</clusters>
</vdnScope>
...
<vdnScope>...</vdnScope>
...
108
VMware, Inc.
</vdnScopes>
Query a Specific Network Scope

Youcanretrieveaspecificnetworkscope.
Example 6-20. Get a network scope
Request:
GET https://<vsm-ip>/api/2.0/vdn/scopes/scopeID
ResponseBody:
<vdnScope>
<description>My description</description>
<id>vdnscope-2</id>
<clusters>
<cluster>
<cluster>
</cluster>
</cluster>
...
</clusters>
</vdnScope>
Delete a Network Scope

Youcandeleteanetworkscope.
Example 6-21. Delete network scope
Request:
DELETE https://<vsm-ip>/api/2.0/vdn/scopes/scopeID
Working with Virtualized Networks

AVXLANvirtualwireisacollectionofvDSportgroupsacrossmultiplevirtualdistributesswitches(vDS)
withinanetworkscope.
Create a VXLAN Virtual Wire

YoucancreateanewVXLANvirtualwireonthespecifiednetworkscope.Youmusthavedefinedasegment
IDrangeandamulticastaddressrangebeforecreatingaVXLANvirtualwire.
ThedefaultvalueofthecontrolPlaneModeparameteristhevaluespecifiedforthetransportzone.
VMware, Inc.
109
Example 6-22. Create a VXLAN virtual wire

Request:
POST https://<vsm-ip>/api/2.0/vdn/scopes/scopeID/virtualwires
RequestBody:
<virtualWireCreateSpec>
<name>virtual wire name</name>
<description>virtual wire description</description>
<tenantId>virtual wire tenant</tenantId>
<controlPlaneMode>UNICAST_MODE</controlPlaneMode>...
</virtualWireCreateSpec>
Query all VXLAN Virtual Wires on a Network Scope

YoucanretrieveallVXLANvirtualwiresonthespecifiednetworkscope.
Example 6-23. Get all VXLANvirtual wires
Request:
GET https://<vsm-ip>/api/2.0/vdn/scopes/scopeID/virtualwires
Response Body:
<virtualWires>
<sortedDataPage>
<datapart class="virtualWire">
<objectId>virtualwire-1</objectId>
<name>vWire1</name>
<description>virtual wire 1</description>
<vdnScopeId>vdnscope-7</vdnScopeId>
<vdsContextWithBacking>
<switchId>dvs-81</switchId>
<backingType>portgroup</backingType>
<backingValue>dvportgroup-88</backingValue>
</vdsContextWithBacking>
<vdnId>5002</vdnId>
<multicastAddr>239.0.0.3</multicastAddr>
</datapart>
....
....
</datapart>
<pagingInfo>
<pageSize>20</pageSize>
<startIndex>0</startIndex>
<totalCount>3</totalCount>
<sortOrderAscending>false</sortOrderAscending>
</pagingInfo>
</sortedDataPage>
</virtualWires>
Query all VXLAN Virtual Wires on all Network Scopes

YoucanretrieveallVXLANvirtualwiresacrossallnetworkscopes.
Example 6-24. Get all VXLANvirtual wires on all network scopes
Request:
110
VMware, Inc.
GET https://<vsm-ip>/api/2.0/vdn/virtualwires
ResponseBody:
</virtualWires>
<sortedDataPage>
<objectId>virtualwire-1</objectId>
<name>vWire1</name>
<description>virtual wire 1</description>
<backingType>portgroup</backingType>
<backingValue>dvportgroup-88</backingValue>
<vdnId>5002</vdnId>
</datapart> ....
<datapart class="virtualWire"> ....
</datapart>
<pagingInfo>
</pagingInfo>
</sortedDataPage>
</virtualWires>
Query a Specific VXLAN Virtual Wire

YoucanretrievethedefinitionforaVXLANvirtualwire.
Example 6-25. Get a VXLANvirtual wire definition
Request:
GET https://<vsm-ip>/api/2.0/vdn/virtualwires/virtualWireID
ResponseBody:
<virtualWire>
<name>Test Virtual Wire</name>
<description>Test Virtual Wire Description</description>
<objectid>virtualwire-4</objectid>
<backingType>PortGroup</backingType>
<backingValue>pg-moid</backingValue>
<vdnId>5002</vdnId>
</virtualWire>
Modify Control Plane Mode

Youcanmodifythecontrolplanemodeofalogicalswitch.Thepossibleoptionsare:
VMware, Inc.
111
Multicast: Multicast IP addresses on physical network is used for the control plane. This mode is
recommendedonlywhenyouareupgradingfromolderVXLANdeployments.Requires
PIM/IGMPonphysicalnetwork.
n Unicast: The control plane is handled by an NSX controller. All unicast traffic leverages headend
replication.NomulticastIPaddressesorspecialnetworkconfigurationisrequired.
n Hybrid: The optimized unicast mode. Offloads local traffic replication to physical network (L2
multicast).ThisrequiresIGMPsnoopingonthefirsthopswitch,butdoesnotrequirePIM.Firsthop
switchhandlestrafficreplicationforthesubnet.
Delete a VXLAN Virtual Wire

YoucandeleteaVXLANvirtualWire.
Example 6-26. Delete virtual wire
Request:
DELETE https://<vsm-ip>/api/2.0/vdn/virtualwires/virtualWireID
Managing the VXLAN Virtual Wire UDP Port

YoucanretrieveorupdatetheUDPport.
Get UDP Port

YoucanretrievetheUDPportfortheVXLANvirtualwire.
Example 6-27. Get UDP port
Request:
Get https://<vsm-ip>/api/2.0/vdn/config/vxlan/udp/port
Update UDP Port

YoucanchangetheUDPportfortheVXLANvirtualwire.Ifnotset,theportdefaultstoport8472.
Example 6-28. Change UDP port
Request:
PUT https://<vsm-ip>/api/2.0/vdn/config/vxlan/udp/port/port
Querying Allocated Resources

YoucanretrievealistofresourcesallocatedtoVXLANvirtualwiresinyournetwork.
Example 6-29. Get resources
GetsegmentIDsallocatedtoVXLANvirtualwires:
GET https://<vsm-ip>/api/2.0/vdn/config/resources/allocated?type=segmentId&pagesize={pageSize}&startindex={startIndex}
GetmulticastaddressrangeallocatedtoVXLANvirtualwires:
112
VMware, Inc.
GET https://<vsm-ip>/api/2.0/vdn/config/resources/allocated?type=multicastAddress&pagesize={pageSize}&startindex={startIndex}
where
start indexisanoptionalparameterwhichspecifiesthestartingpointforretrievingtheresources.Ifthis
parameterisnotspecified,resourcesareretrievedfromthebeginning.
Testing Multicast Group Connectivity

YoucanperformamulticastgroupconnectivitytestinanetworkscopeorVXLANvirtualwire.
Test Multicast Group Connectivity in a Network Scope

Example 6-30. Test multicast group connectivity in network scope
Request:
PUT https://<vsm-ip>/api/2.0/vdn/scopes/ScopeID/conn-check/multicast
RequestBody:
<testParameters>
<packetSize>1600</packetSize>
<expectedResponse>5</expectedResponse>
<returnHopCount>true</returnHopCount>
<returnRecordIp>true</returnRecordIp>
<sourceHost>
<vlanId>54</vlanId>
<sourceHost>
<destinationHost>
<vlanId>54</vlanId>
<destinationHost>
</testParameters>
Test Multicast Group Connectivity in a VXLAN Virtual Wire

Example 6-31. Test multicast group connectivity in virtual wire
Request:
PUT https://<vsm-ip>/api/2.0/vdn/scopes/virtualWireID/conn-check/multicast
RequestBody:
<testParameters>
<sourceHost>
<vlanId>54</vlanId>
<sourceHost>
<destinationHost>
VMware, Inc.
113
<vlanId>54</vlanId>
<destinationHost>
</testParameters>
Performing Ping Test

YoucanperformapointtopointconnectivitytestbetweentwohostsacrosswhichaVXLANvirtualwire
spans.
Example 6-32. Perform point to point test
Request:
PUT https://<vsm-ip>/api/2.0/vdn/virtualwires/virtualWireID/conn-check/p2p
RequestBody:
<testParameters>
<sourceHost>
<vlanId>54</vlanId>
<sourceHost>
<destinationHost>
<vlanId>54</vlanId>
<destinationHost>
</testParameters>
114
VMware, Inc.
NSX Edge Logical Router Installation

and Management
NSXEdgeLogicalRouterprovidesEastWestdistributedroutingwithtenantIPaddressspaceanddatapath
isolation.Virtualmachinesorworkloadsthatresideonthesamehostondifferentsubnetscancommunicate
withoneanotherwithouthavingtotraverseatraditionalroutinginterface.Alogicalroutercanhaveeight
uplinkinterfacesanduptoathousandinternalinterfaces.
ForinformationonretrievingobjectsIDs,seeonpage 33.
InstallingaLogicalRouteronpage 115
QueryaLogicalRouteronpage 116
ModifyaRouteronpage 118
DeletingaRouteronpage 118
Installing a Logical Router

Beforeinstallingalogicalrouter,youmustpreparethehostsontheappropriateclusters.Formore
information,seeWorkingwithNetworkVirtualizationComponentsonpage 76.
Alogicalroutercanhaveeightuplinkinterfacesanduptoathousandinternalinterfaces.
TheuserspecifiedconfigurationisstoredinthedatabaseandEdgeidentifierisreturnedtotheuser.This
identifiermustbeusedforfutureconfigurationsonthegivenEdge.
Ifanyappliance(s)arespecifiedandatleastoneconnectedinterface/vnicisspecified,thentheappliance(s)are
deployedandconfigurationisappliedtothem.
Example 7-1. Install a logical router
Request:
POST https://<nsxmgr-ip>/api/4.0/edges
RequestBody:
<edge>
<datacenterMoid>datacenter-2</datacenterMoid>
<type>distributedRouter</type>

<appliances>

<appliance>
<resourcePoolId>resgroup-20</resourcePoolId>
</appliance>
VMware, Inc.
115
</appliances>
<mgmtInterface>

<connectedToId>dvportgroup-38</connectedToId>
<addressGroups>
<addressGroup>
<primaryAddress>10.112.196.165</primaryAddress>
<subnetMask>255.255.252.0</subnetMask>
</addressGroup>
</addressGroups>
</mgmtInterface>
<interfaces>

<interface>
<type>uplink</type>
<mtu>1500</mtu>
<isConnected>true</isConnected>
<addressGroups>

<addressGroup>


</addressGroup>
</addressGroups>
<connectedToId>dvportgroup-39</connectedToId> 
</interface>
<interface>
<type>internal</type>
<mtu>1500</mtu>
<addressGroups>
<addressGroup>
</addressGroup>
</addressGroups>
</interface>
</interfaces>
</edge>
IMPORTANTThelocationheaderreturnstheedgeIdoftheinstalledrouter.YoumustusethisIDtoconfigure
andmanagethisNSXEdgeinstance.
Query a Logical Router

Retrievesinformationaboutthespecifiedrouter.
Example 7-2. Query a router
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId}
ResponseBody:
<edgeSummaries>
<edge>
<id>edge-15</id>
<version>21</version>
<status>deployed</status>
<datacenterName>Datacenter</datacenterName>
<tenant>default</tenant>
<name>vShield-edge-15</name>
<fqdn>vShield-edge-15</fqdn>
<enableAesni>true</enableAesni>
<enableFips>false</enableFips>
<vseLogLevel>info</vseLogLevel>
116
VMware, Inc.
Chapter 7 NSX Edge Logical Router Installation and Management
<appliances>
<applianceSize>compact</applianceSize>
<appliance>
<highAvailabilityIndex>0</highAvailabilityIndex>
<vcUuid>422f63b1-bb0e-ba50-3aae-4be1263db676</vcUuid>
<vmId>vm-62</vmId>
<resourcePoolName>Resources</resourcePoolName>
<datastoreName>shahm-esx-storage</datastoreName>
<hostName>10.112.196.160</hostName>
<vmFolderId>group-v3</vmFolderId>
<vmFolderName>vm</vmFolderName>
<vmHostname>vShield-edge-15-0</vmHostname>
<vmName>vShield-edge-15-0</vmName>
<deployed>true</deployed>
<edgeId>edge-15</edgeId>
</appliance>
</appliances>
<cliSettings>
<remoteAccess>false</remoteAccess>
<userName>admin</userName>
</cliSettings>
<type>distributedRouter</type>
<mgmtInterface>
<label>vNic_0</label>
<name>mgmtInterface</name>
<addressGroups>
<addressGroup>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
<index>0</index>
<connectedToName>DvPortGroup1</connectedToName>
</mgmtInterface>
<interfaces>
<interface>
<name>interface1</name>
<addressGroups>
<addressGroup>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
<type>uplink</type>
<index>1</index>
<connectedToName>dvport-vlan-1</connectedToName>
</interface>
<interface>
<label>75649aea0000000a</label>
<addressGroups>
<addressGroup>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
VMware, Inc.
117
<index>10</index>
</interface>
<interface>
<label>75649aea0000000b</label>
<name>interface-11</name>
<addressGroups>
<addressGroup>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
<index>11</index>
<connectedToName>DvSwitch2-DVUplinks-36</connectedToName>
</interface>
</interfaces>
<edgeAssistId>1969527530</edgeAssistId>
</edge>
Modify a Router
Replacestheconfigurationofthespecifiedrouter.
Example 7-3. Modify router
Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/{edgeId}
RequestBody:
SeeExample 71.
Deleting a Router
Youcandeletealogicalrouterinstance.Appliancesassociatedwiththerouterinstancearedeletedaswell.
Example 7-4. Delete a router
Request:
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>
Working with Interfaces

AnNSXEdgeroutercanhaveeightuplinkinterfacesanduptoathousandinternalinterfaces.Itmusthaveat
leastoneinternalinterfacebeforeitcanbedeployed.
Working with Management Interfaces

Configure Management Interfaces
ConfiguremanagementinterfacesforanNSXEdgerouter.
118
VMware, Inc.
Example 7-5. Configure management interfaces

Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/{edgeId/mgmtinterface
RequestBody:
<mgmtInterface>
<addressGroups>
<addressGroup>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
</mgmtInterface>
Query Management Interfaces

RetrievesallmanagementinterfacesforthespecifiedNSXEdgerouter.
Example 7-6. Query interfaces
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId/mgmtinterface
ResponseBody:
<mgmtInterface>
<name>mgmtInterface</name>
<addressGroups>
<addressGroup>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
<index>0</index>
<connectedToName>DvPortGroup1</connectedToName>
</mgmtInterface>
Working with all Interfaces

AnNSXEdgeroutercanhaveupto8uplinkinterfaces.
Add Interfaces
ConfiguresoneormoreinterfaceforanNSXEdgeRouter.Thespecifiedconfigurationisstoredinthe
database.Ifanyappliance(s)isassociatedwiththisEdgeEdgeinstance,thespecifiedconfigurationisapplied
totheapplianceaswell.
Youshouldnotdefineaindexforthenewadditionofinterfaces.TheindexesaresystemgeneratedToupdate
theexistinginterfaces,includethemintheXMLwiththesystemgeneratedindexes(canbeobtainedbyaGET
call).
Example 7-7. Add an interface
Request:
POST https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/interfaces/?action=patch
VMware, Inc.
119
RequestBody:
<interfaces>
<interface>
<addressGroups>
<addressGroup>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
<type>uplink</type>
</interface>
<interface>
<addressGroups>
<addressGroup>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
</interface>
<interface>
<addressGroups>
<addressGroup>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
</interface>
</interfaces>
Query Interfaces for a NSX Edge Router

RetrievesallinterfacesforthespecifiedEdgerouter.
Example 7-8. Retrieve all interfaces
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/interfaces
ResponseBody:
<interfaces>
<interface>
<addressGroups>
<addressGroup>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
<type>uplink</type>
120
VMware, Inc.
<index>1</index>
</interface>
<interface>
<label>75649aea0000000a</label>
<addressGroups>
<addressGroup>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
<index>10</index>
</interface>
<interface>
<label>75649aea0000000b</label>
<name>interface-11</name>
<addressGroups>
<addressGroup>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
<index>11</index>
<connectedToName>DvSwitch2-DVUplinks-36</connectedToName>
</interface>
</interfaces>
Delete Interfaces
DeletesoneormoreinterfacesforanNSXEdgeRouter.Storesthespecifiedconfigurationindatabase.Ifany
appliance(s)areassociatedwiththisedge,disconnectsanddeletestheinterface.
Example 7-9. Delete interface
Request:
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/interfaces/?index=<index1>&index=<index2>
Delete all Interfaces

DeletesallinterfacesforanNSXEdgeRouter.Storesthespecifiedconfigurationindatabase.Ifany
Example 7-10. Delete all interfaces
Request:
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/interfaces
VMware, Inc.
121
Manage an NSX Edge Router Interface

YoucanmanageaspecificNSXEdgerouterinterface.
Retrieve Interface with Specific Index

RetrievestheinterfacewithspecifiedindexforaEdgeEdge.
Example 7-11. Get interface with specific index
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/interfaces/index
ResponseBody:
<interface>
<addressGroups>
<addressGroup>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
<type>uplink</type>
<index>1</index>
</interface>
Modify an Interface
Modifiesthespecifiedinterface.
Example 7-12. Modify interface
Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/interfaces/<index>
ResponseBody:
<interface>
<addressGroups>
<addressGroup>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
<type>uplink</type>
</interface>
Delete Interface Configuration

Deletestheinterfaceconfigurationandresetsittothefactorydefault.
122
VMware, Inc.
Example 7-13. Delete interface configuration

Request:
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/interfaces/index
Configure Routes
ConfiguresglobalConfig,staticRouting,OSPG,BGP,andISISroutes.
Example 7-14. Configure routes
Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config
RequestBody:
<routing>
<routingGlobalConfig>
<routerId>1.1.1.1</routerId> 
<logging>

<enable>false</enable>
<logLevel>info</logLevel>
</logging>
<ipPrefixes> 
<ipPrefix>
<name>a</name> 
<ipAddress>10.112.196.160/24</ipAddress>
</ipPrefix>
<ipPrefix>
<name>b</name>
</ipPrefix>
</ipPrefixes>
</routingGlobalConfig>
<staticRouting>
<staticRoutes> 
<route>
<description>route1</description>
<vnic>0</vnic>
<network>3.1.1.0/22</network>
<nextHop>172.16.1.14</nextHop>
<mtu>1500</mtu> 
</route>
<route>
<vnic>1</vnic>
</route>
</staticRoutes>
<defaultRoute>

<description>defaultRoute</description>
<vnic>0</vnic>
<gatewayAddress>172.16.1.12</gatewayAddress>
<mtu>1500</mtu> 
</defaultRoute>
</staticRouting>
<ospf>

<enabled>true</enabled> 
VMware, Inc.
123
<forwardingAddress>192.168.10.2</forwardingAddress> 

<protocolAddress>192.168.10.3</protocolAddress> 
<ospfAreas>
<ospfArea>
<areaId>100</areaId> 
<type>normal</type> 
<authentication>

<type>password</type> 
<value>vmware123</value> 
</authentication>
</ospfArea>
</ospfAreas>
<ospfInterfaces>
<ospfInterface>
<vnic>0</vnic>
<areaId>100</areaId>
<helloInterval>10</helloInterval> 
<deadInterval>40</deadInterval> 
<priority>128</priority> 
<cost>10</cost> 
</ospfInterface>
</ospfInterfaces>
<redistribution>
<enabled>true</enabled> 
<rules>
<rule>
<prefixName>a</prefixName> 
<from>
<isis>true</isis>

<ospf>false</ospf>
<bgp>false</bgp>
<static>false</static> 
<connected>true</connected> 
</from>
<action>deny</action> 
</rule>
<rule>
<prefixName>b</prefixName> 
</from>
<action>permit</action> 
</rule>
</rules>
</redistribution>
</ospf>
<bgp>

<enabled>true</enabled> 
<localAS>65535</localAS>

<bgpNeighbours>
<bgpNeighbour>
<ipAddress>192.168.10.10</ipAddress> 
<forwardingAddress>192.168.1.10</forwardingAddress> 
<protocolAddress>192.168.1.11</protocolAddress>

<remoteAS>65500</remoteAS>

<weight>60</weight>

<holdDownTimer>180</holdDownTimer>

<keepAliveTimer>60</keepAliveTimer> 
<password>vmware123</password>

<bgpFilters>

<bgpFilter>
124
VMware, Inc.
<direction>in</direction>

<action>permit</action>

<network>10.0.0.0/8</network> 
<ipPrefixGe>17</ipPrefixGe> 
<ipPrefixLe>32</ipPrefixLe> 
</bgpFilter>
</bgpFilters>
</bgpNeighbour>
</bgpNeighbours>
<redistribution>
<rules>
<rule>
<from>
<isis>true</isis>
<ospf>true</ospf>
<bgp>false</bgp>
<static>true</static> 
</from>
</rule>
<rule>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>false</bgp>
</from>
</rule>
</rules>
</redistribution>
</bgp>
</routing>
Query Routes
Retrievesglobal,static,OSPF,BGP,andISISconfigurations.
Example 7-15. Retrieve routes
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config
ResponseBody:
<routing>
<routerId>1.1.1.1</routerId>
<logging>
</logging>
<ipPrefixes>
<ipPrefix>
<name>a</name>
</ipPrefix>
<ipPrefix>
<name>b</name>
VMware, Inc.
125
</ipPrefix>
</ipPrefixes>
<staticRouting>
<staticRoutes>
<route>
<vnic>0</vnic>
<mtu>1500</mtu>
<type>user</type>
</route>
<route>
<vnic>1</vnic>
<mtu>1500</mtu>
<type>user</type>
</route>
</staticRoutes>
<defaultRoute>
<vnic>0</vnic>
<mtu>1500</mtu>
</defaultRoute>
</staticRouting>
<ospf>
<forwardingAddress>192.168.10.2</forwardingAddress>
<ospfAreas>
<ospfArea>
<type>normal</type>
<authentication>
<type>password</type>
<value>vmware123</value>
</authentication>
</ospfArea>
</ospfAreas>
<ospfInterfaces>
<ospfInterface>
<vnic>0</vnic>
<helloInterval>10</helloInterval>
<deadInterval>40</deadInterval>
<priority>128</priority>
<cost>10</cost>
</ospfInterface>
</ospfInterfaces>
<redistribution>
<rules>
<rule>
<id>1</id>
<prefixName>a</prefixName>
<from>
<isis>true</isis>
<ospf>false</ospf>
<bgp>false</bgp>
<static>false</static>
<connected>true</connected>
</from>
<action>deny</action>
</rule>
126
VMware, Inc.
<rule>
<id>0</id>
<prefixName>b</prefixName>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>true</bgp>
<connected>false</connected>
</from>
</rule>
</rules>
</redistribution>
</ospf>
<bgp>
<bgpNeighbours>
<bgpNeighbour>
<forwardingAddress>192.168.1.10</forwardingAddress>
<weight>60</weight>
<keepAliveTimer>60</keepAliveTimer>
<bgpFilters>
<bgpFilter>
<ipPrefixGe>17</ipPrefixGe>
<ipPrefixLe>32</ipPrefixLe>
</bgpFilter>
<bgpFilter>
<direction>out</direction>
</bgpFilter>
</bgpFilters>
</bgpNeighbour>
</bgpNeighbours>
<redistribution>
<rules>
<rule>
<id>1</id>
<from>
<isis>true</isis>
<ospf>true</ospf>
<bgp>false</bgp>
<static>true</static>
</from>
</rule>
<rule>
<id>0</id>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>false</bgp>
</from>
VMware, Inc.
127
</rule>
</rules>
</redistribution>
</bgp>
</routing>
Delete Routes
DeletestheroutingconfigurationstoredintheNSXManagerdatabaseandthedefaultroutesfromthe
specifiedNSXEdgerouter.
Example 7-16. Delete routing
Request
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config
Manage Global Routing Configuration

Configuresthedefaultgatewayforstaticroutesanddynamicroutingdetails.
Specify Global Configuration

Example 7-17. Configure global route
Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config/global
RequestBody:
<logging>
</logging>
bgp -->
<ipPrefix>
</ipPrefix>
<ipPrefix>
<name>b</name>
</ipPrefix>
</ipPrefixes>
Query Global Route

RetrievesroutinginformationfromtheNSXManagerdatabaseforanedgewhichincludesthefollowing:
Defaultroutesettings
Staticrouteconfigurations
Example 7-18. Query global route

128
VMware, Inc.
Manage Static Routing

AddorquerystaticanddefaultroutesforsecifiedEdge.
Configure Static Routes

Configuresstaticanddefaultroutes.
Example 7-19. Configure static routes
Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config/static
RequestBody:
<staticRouting>
<staticRoutes>
<route>
<vnic>0</vnic>
</route>
<route>
<vnic>1</vnic>
</route>
</staticRoutes>
<defaultRoute>
<vnic>0</vnic>
</defaultRoute>
</staticRouting>
Query Static Routes

Retrievesstaticanddefaultroutes.
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config/static
ResponseBody:
<staticRouting>
<staticRoutes>
<route>
<vnic>0</vnic>
<mtu>1500</mtu>
<type>user</type>
</route>
VMware, Inc.
129
<route>
<vnic>1</vnic>
<mtu>1500</mtu>
<type>user</type>
</route>
</staticRoutes>
<defaultRoute>
<vnic>0</vnic>
<mtu>1500</mtu>
</defaultRoute>
</staticRouting>
Delete Static Routes

DeletesbothstaticanddefaultroutingconfigurationstoredintheNSXManagerdatabase.
Example 7-21. Delete static routes
Request
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config/static
Manage OSPF Routes for NSX Edge

NSXEdgesupportsOSPF,aninteriorgatewayprotocolthatroutesIPpacketsonlywithinasinglerouting
domain.Itgatherslinkstateinformationfromavailableroutersandconstructsatopologymapofthenetwork.
ThetopologydeterminestheroutingtablepresentedtotheInternetLayer,whichmakesroutingdecisions
basedonthedestinationIPaddressfoundinIPpackets.
OSPFroutingpoliciesprovideadynamicprocessoftrafficloadbalancingbetweenroutesofequalcost.An
OSPFnetworkisdividedintoroutingareastooptimizetraffic.AnareaisalogicalcollectionofOSPFnetworks,
routers,andlinksthathavethesameareaidentification.
AreasareidentifiedbyanAreaID.
Configure OSPF
Example 7-22. Configure OSPF
Request
PUThttps://<nsxmgrip>/api/4.0/edges/<edgeId>/routing/config/ospf
RequestBody:
<ospf>

<ospfAreas>
<ospfArea>
<type>normal</type> 
<authentication>
</authentication>
</ospfArea>
</ospfAreas>
<ospfInterfaces>
<ospfInterface>
130
VMware, Inc.
<vnic>0</vnic>
</ospfInterface>
</ospfInterfaces>
<redistribution>
<rules>
<rule>
<from>
<isis>true</isis>
<ospf>false</ospf>
<bgp>false</bgp>
</from>
</rule>
<rule>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>true</bgp>
</from>
</rule>
</rules>
</redistribution>
</ospf>
Query OSPF
Example 7-23. Query OSPF
Request
GEThttps://<nsxmgrip>/api/4.0/edges/<edgeId>/routing/config/ospf
ResponseBody:
<ospf>
<ospfAreas>
<ospfArea>
<type>normal</type>
<authentication>
</authentication>
</ospfArea>
</ospfAreas>
<ospfInterfaces>
<ospfInterface>
<vnic>0</vnic>
VMware, Inc.
131
<cost>10</cost>
</ospfInterface>
</ospfInterfaces>
<redistribution>
<rules>
<rule>
<id>1</id>
<from>
<isis>true</isis>
<ospf>false</ospf>
<bgp>false</bgp>
</from>
</rule>
<rule>
<id>0</id>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>true</bgp>
</from>
</rule>
</rules>
</redistribution>
</ospf>
Delete OSPF
DeletesOSPFrouting.
Example 7-24. Delete OSPF
Request
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config/ospf
Manage ISIS Routes for NSX Edge

IntermediateSystemtoIntermediateSystem(ISIS)isaroutingprotocoldesignedtomoveinformationby
determiningthebestroutefordatagramsthroughapacketswitchednetwork.Atwolevelhierarchyisused
tosupportlargeroutingdomains.Alargedomainmaybedividedintoareas.Routingwithinanareais
referredtoasLevel1routing.RoutingbetweenareasisreferredtoasLevel2routing.ALevel2Intermediate
System(IS)keepstrackofthepathstodestinationareas.ALevel1ISkeepstrackoftheroutingwithinitsown
area.Forapacketgoingtoanotherarea,aLevel1ISsendsthepackettothenearestLevel2ISinitsownarea,
regardlessofwhatthedestinationareais.ThenthepackettravelsviaLevel2routingtothedestinationarea,
whereitmaytravelviaLevel1routingtothedestination.ThisisreferredtoasLevel12.
Configure ISIS
Example 7-25. Configure ISIS
Request
132
VMware, Inc.
PUThttps://<nsxmgrip>/api/4.0/edges/<edgeId>/routing/config/isis
RequestBody:
<isis>
<systemId>0004.c150.f1c0</systemId> 
<areaIds> 
<areaId>49.0005.8000.ab7c.0000.ffe9.0001</areaId>
<areaId>49.0005.8000.ab7c.0000.ffe9.0002</areaId> 
</areaIds>
<isType>level-1-2</isType> 
<domainPassword>vshield</domainPassword> 
<areaPassword>edge</areaPassword>

<isisInterfaces>
<isisInterface>
<vnic>0</vnic>
<meshGroup>10</meshGroup>

<helloInterval>10000</helloInterval> 
<helloMultiplier>3</helloMultiplier> 
<lspInterval>33</lspInterval>

<metric>10</metric>

<circuitType>level-1-2</circuitType> 
<password>msr</password>

</isisInterface>
</isisInterfaces>
<redistribution>
<rules>
<rule>
<from>
<isis>false</isis>
<ospf>true</ospf>
<bgp>false</bgp>
</from>
</rule>
<rule>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>true</bgp>
</from>
</rule>
</rules>
</redistribution>
</isis>
Query ISIS
Example 7-26. Query ISIS
Request
VMware, Inc.
133
GEThttps://<nsxmgrip>/api/4.0/edges/<edgeId>/routing/config/isis
ResponseBody:
<isis>
<systemId>0004.c150.f1c0</systemId>
<areaIds>
</areaIds>
<isType>level-1-2</isType>
<domainPassword>vshield</domainPassword>
<isisInterfaces>
<isisInterface>
<vnic>0</vnic>
<helloMultiplier>3</helloMultiplier>
<metric>10</metric>
<circuitType>level-1-2</circuitType>
</isisInterface>
</isisInterfaces>
<redistribution>
<rules>
<rule>
<id>1</id>
<from>
<isis>false</isis>
<ospf>true</ospf>
<bgp>false</bgp>
</from>
</rule>
<rule>
<id>0</id>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>true</bgp>
</from>
</rule>
</rules>
</redistribution>
</isis>
Delete ISIS
DeletesISISrouting.
Example 7-27. Delete ISIS
Request
134
VMware, Inc.
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config/isis
Manage BGP Routes for NSX Edge

BorderGatewayProtocol(BGP)makescoreroutingdecisions.ItincludesatableofIPnetworksorprefixes
whichdesignatenetworkreachabilityamongautonomoussystems.Anunderlyingconnectionbetweentwo
BGPspeakersisestablishedbeforeanyroutinginformationisexchanged.Keepalivemessagesaresentoutby
theBGPspeakersinordertokeepthisrelationshipalive.Oncetheconnectionisestablished,theBGPspeakers
exchangeroutesandsynchronizetheirtables.
Configure BGP
Example 7-28. Configure BGP
Request
PUThttps://<nsxmgrip>/api/4.0/edges/<edgeId>/routing/config/bgp
RequestBody:
<bgp>
<enabled>true</enabled> 
<bgpNeighbours>
<bgpNeighbour>
<ipAddress>192.168.1.10</ipAddress> 
<weight>60</weight>

<bgpFilters>

<bgpFilter>
IPv4 prefixes -->
prefixes -->
</bgpFilter>
</bgpFilters>
</bgpNeighbour>
</bgpNeighbours>
<redistribution>
<rules>
<rule>
<from>
<isis>true</isis>
<ospf>true</ospf>
<bgp>false</bgp>
</from>
</rule>
<rule>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>false</bgp>
VMware, Inc.
135

</from>
</rule>
</rules>
</redistribution>
</bgp>
Query BGP
Example 7-29. Query BGP
Request
GEThttps://<nsxmgrip>/api/4.0/edges/<edgeId>/routing/config/bgp
ResponseBody:
<bgp>
<bgpNeighbours>
<bgpNeighbour>
<weight>60</weight>
<bgpFilters>
<bgpFilter>
</bgpFilter>
<bgpFilter>
</bgpFilter>
</bgpFilters>
</bgpNeighbour>
</bgpNeighbours>
<redistribution>
<rules>
<rule>
<id>1</id>
<from>
<isis>true</isis>
<ospf>true</ospf>
<bgp>false</bgp>
</from>
</rule>
<rule>
<id>0</id>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>false</bgp>
136
VMware, Inc.
</from>
</rule>
</rules>
</redistribution>
</bgp>
Delete BGP
DeletesBGProuting.
Example 7-30. Delete BGP
Request
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config/bgp
Working with Bridging

YoucancreateanL2bridgebetweenalogicalswitchandaVLAN,whichenablesyoutomigratevirtual
workloadstophysicaldeviceswithnoimpactonIPaddresses.Alogicalnetworkcanleverageaphysical
gatewayandaccessexistingphysicalnetworkandsecurityresourcesbybridgingthelogicalswitchbroadcast
domaintotheVLANbroadcastdomain.
TheL2bridgerunsonthehostthathastheNSXEdgelogicalroutervirtualmachine.AnL2bridgeinstance
mapstoasingleVLAN,buttherecanbemultiplebridgeinstances.Thelogicalroutercannotbeusedasa
gatewayfordevicesconnectedtoabridge.
IfHighAvailabilityisenabledontheLogicalRouterandtheprimaryNSXEdgevirtualmachinegoesdown,
thebridgeisautomaticallymovedovertothehostwiththesecondaryvirtualmachine.Forthisseamless
migrationtohappen,VLANmusthavebeenconfiguredonthehostthathasthesecondaryNSXEdgevirtual
machine.
Configure a Bridge
Configuresabridge.
Example 7-31. Configure bridge
Request
PUThttps://<nsxmgrip>/api/4.0/edges/<edgeId>/bridging/config
RequestBody:
<bridges>
<bridge>
<name>test1</name>
<virtualWire>virtualwire-1</virtualWire>
<dvportGroup>dvportgroup-36</dvportGroup>
</bridge>
<bridge>
<name>test2</name>
<virtualWire>virtualwire-2</virtualWire>
</bridge>
</bridges>
VMware, Inc.
137
Query Bridge Configuration

Retrievesbridgeconfiguration.
Query BGP
Example 7-32. Query bridges
Request
GEThttps://<nsxmgrip>/api/4.0/edges/<edgeId>/bridging/config
ResponseBody:
<bridges>
<bridge>
<bridgeId>1</bridgeId>
<name>bridge1</name>
<virtualWire>dvportgroup-23</virtualWire>
</bridge>
</bridges>
Delete Bridge Configuration

Deletesbridges.
Example 7-33. Delete bridges
Request
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/bridging/config
138
VMware, Inc.
NSX Edge Services Gateway

Installation, Upgrade, and
Management
NSXEdgeServicesGatewaygivesyouaccesstoallNSXEdgeservicessuchasfirewall,NAT,DHCP,VPN,load
balancing,andhighavailability.YoucaninstallmultipleNSXEdgeservicesgatewayvirtualappliancesina
datacenter.EachNSXEdgevirtualappliancecanhaveatotaloftenuplinkandinternalnetworkinterfaces.
Theinternalinterfacesconnecttosecuredportgroupsandactasthegatewayforallprotectedvirtualmachines
intheportgroup.ThesubnetassignedtotheinternalinterfacecanbeapubliclyroutedIPspaceora
NATed/routedRFC1918privatespace.FirewallrulesandotherNSXEdgeservicesareenforcedontraffic
betweennetworkinterfaces.
UplinkinterfacesofNSXEdgeconnecttouplinkportgroupsthathaveaccesstoasharedcorporatenetwork
oraservicethatprovidesaccesslayernetworking.MultipleexternalIPaddressescanbeconfiguredforload
balancer,sitetositeVPN,andNATservices.
Afteryouinstallnetworkvirtualizationcomponentsandoneormorelogicalswitchesinyourenvironment,
youcansecureinternalnetworksbyinstallingaEdgeEdgeServicesgateway.
InstallingNSXEdgeServicesGatewayonpage 140
UpgradingvShieldEdge5.1.xor5.5toNSXEdgeonpage 142
QueryInstalledEdgesonpage 142
ModifyingNSXEdgeConfigurationonpage 146
DeletingNSXEdgeonpage 150
ConfiguringEdgeServicesinAsyncModeonpage 150
ConfiguringCertificatesonpage 151
WorkingwithNSXEdgeFirewallonpage 154
WorkingwithNATonpage 163
WorkingwithRoutingonpage 166
WorkingwithLoadBalanceronpage 180
ManagingSSLVPNonpage 206
WorkingwithL2VPNonpage 235
WorkingwithIPSECVPNonpage 238
ManaginganNSXEdgeonpage 243
VMware, Inc.
139
Installing NSX Edge Services Gateway

TheNSXEdgeinstallationAPIcopiestheNSXEdgeOVFfromtheEdgeManagertothespecifieddatastore
anddeploysanNSXdEdgeonthegivendatacenter.AftertheNSXEdgeisinstalled,thevirtualmachine
powersonandinitializesaccordingtothegivennetworkconfiguration.Ifanapplianceisadded,itisdeployed
withthespecifiedconfiguration.
InstallinganNSXEdgeinstanceaddsavirtualmachinetothevCenterServerinventory,Youmustspecifyan
IPaddressforthemanagementinterface,andyoumaynametheNSXEdgeinstance.
TheconfigurationyouspecifywhenyouinstallanNSXEdgeisstoredinthedatabase.Ifanapplianceisadded,
theconfigurationisappliedtoitanditisdeployed.
NOTEDonotusehidden/systemresourcepoolIDsastheyarenotsupportedontheUI.
Example 8-1. Install Services Gateway
Request
POST https://<nsxmgr-ip>/api/4.0/edges/
RequestBody
<edge>
<name>org1-edge</name> 
<description>Description for the edge gateway</description> 
<tenant>org1</tenant> 
<fqdn>org1edge1</fqdn> 
<vseLogLevel>info</vseLogLevel> 
<enableAesni>false</enableAesni> 
<enableFips>true</enableFips> 
<appliances> 
<applianceSize>compact</applianceSize> 
<enableCoreDump>true</enableCoreDump> 
<appliance>
<hostId>host-28</hostId> 
<vmFolderId>group-v38</vmFolderId> 
<customField> 
<key>system.service.vmware.vsla.main01</key>
<value>string</value>
</customField>
<cpuReservation> 
<limit>2399</limit>
<reservation>500</reservation>
<shares>500</shares>
</cpuReservation>
<memoryReservation> 
<limit>5000</limit>
</memoryReservation>
</appliance>
</appliances>
<vnics> 
<vnic>
<index>0</index>
<name>internal0</name> 
<type>internal</type> 
<portgroupId>dvportgroup-114</portgroupId> 
140
VMware, Inc.
Chapter 8 NSX Edge Services Gateway Installation, Upgrade, and Management
<addressGroups>
<addressGroup> 
<primaryAddress>192.168.3.1</primaryAddress> 
<secondaryAddresses> 
<ipAddress>192.168.3.3</ipAddress> 
</secondaryAddresses>
<subnetMask>255.255.255.0</subnetMask> 
</addressGroup>
<subnetPrefixLength>24</subnetPrefixLength>
</addressGroup>
<addressGroup> 
<primaryAddress>ffff::1</primaryAddress> 
<ipAddress>ffff::2</ipAddress>
<subnetPrefixLength>64</subnetPrefixLength> 
</addressGroup>
</addressGroups>
<macAddress> 
<edgeVmHaIndex>0</edgeVmHaIndex>
<value>00:50:56:01:03:23</value> 
</macAddress>
<fenceParameter> 
<key>ethernet0.filter1.param1</key>
<value>1</value>
</fenceParameter>
<mtu>1500</mtu> 
<enableProxyArp>false</enableProxyArp> 
<enableSendRedirects>true</enableSendRedirects> 
<isConnected>true</isConnected> 
<inShapingPolicy> 
<averageBandwidth>200000000</averageBandwidth>
<peakBandwidth>200000000</peakBandwidth>
<burstSize>0</burstSize>
<inherited>false</inherited>
</inShapingPolicy>
<outShapingPolicy> 
</outShapingPolicy>
</vnic>
</vnics>
<cliSettings> 
<userName>test</userName> 
<password>test123!</password> 
<remoteAccess>false</remoteAccess> 
</cliSettings>
<autoConfiguration> 
<enabled>true</enabled> 
<rulePriority>high</rulePriority> 
VMware, Inc.
141
</autoConfiguration>
<dnsClient> 
<primaryDns>10.117.0.1</primaryDns>
<secondaryDns>10.117.0.2</secondaryDns>
<domainName>vmware.com</domainName>
<domainName>foo.com</domainName>
</dnsClient>
<queryDaemon> 
<enabled>true</enabled> 
<port>5666</port> 
</queryDaemon>
</edge>
Upgrading vShield Edge 5.1.x or 5.5 to NSX Edge

UpgradesvShieldEdge5.1.xor5.5toNSXEdge.Theappliancesareupgradedandfeatureconfigurationsare
retainedandupgraded
Example 8-2. Upgrade vShield Edge
Request:
POST https://<nsxmgr-ip>/api//4.0/edges/{edgeId}?action=upgrade
IMPORTANTThelocationheaderreturnstheedgeIdoftheupgradedNSXEdge.YoumustusethisIDto
configureandmanagethisEdgeinstance.
IfvShieldEdgeinthepreviousreleasewasinstalledusinghidden/systemresourcepoolIDs,theUImayshow
unusualbehavior.
Query Installed Edges

YoucanretrievealistofNSXEdgesinyourinventoryorfiltertheresultsbydatacenterorportgroup.
Example 8-3. Retrieve Edges
RetrieveallEdgesRequest:
GET https://<nsxmgr-ip>/api/4.0/edges/
RetrieveEdgesbydatacenter:
GET /api/4.0/edges/?datacenter=<datacenterMoid>
RetrieveEdgesonspecifiedtenant:
GET /api/4.0/edges/?tenant=<tenantId>
RetrieveEdgeswithoneinterfaceonspecifiedportgroup:
GET /api/4.0/edges/?pg=<pgMoId>
RetrieveEdgeswithspecifiedtenantandportgroup:
GET /api/4.0/edges/?tenant=<tenant>&pg=<pgMoId>
Example 8-4. Retrieve Edge details

Request:
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>
ResponseBody
142
VMware, Inc.
<edge>
<id>edge-79</id>
<description>testEdge</description>
<status>deployed</status>
<datacenterName>datacenterForEdge</datacenterName>
<name>testEdge</name>
<fqdn>testEdge</fqdn>
<edgeAssistId>1460487509</edgeAssistId>
<vnics>
<vnic>
<index>0</index>
<name>uplink-vnic-network-2581</name>
<type>uplink</type>
<portgroupId>network-2581</portgroupId>
<portgroupName>Mgmt</portgroupName>
<addressGroups>
<addressGroup>
<secondaryAddresses>
</addressGroup>
<addressGroup>
<subnetMask>255.255.255.0</subnetMask> 
</addressGroup>
<addressGroup>
<primaryAddress>ffff::1</primaryAddress>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
<enableProxyArp>false</enableProxyArp>
<enableSendRedirects>true</enableSendRedirects>
</vnic>
.....
</vnics>
<appliances>
<appliance>
<vcUuid>4208f392-1693-11db-6355-4affd859ef33</vcUuid>
<vmId>vm-4021</vmId>
<resourcePoolName>Resources</resourcePoolName>
<datastoreName>shahm-esx-storage</datastoreName>
<vmFolderName>vm</vmFolderName>
<vmHostname>vShieldEdge-network-2264-0</vmHostname>
VMware, Inc.
143
<vmName>vShield-edge-79-0</vmName>
<deployed>true</deployed>
<edgeId>edge-79</edgeId>
</appliance>
</appliances>
<cliSettings>
</cliSettings>
<features>
<featureConfig/>
<firewall>
<defaultPolicy>
<loggingEnabled>false</loggingEnabled>
</defaultPolicy>
<rules>
<rule>
<id>131078</id>
<ruleTag>131078</ruleTag>
<name>rule1</name>
<ruleType>user</ruleType>
<source>
<groupingObjectId>ipset-938</groupingObjectId>
</source>
<destination/>
<application>
<applicationId>application-666</applicationId>
</application>
<action>accept</action>
<matchTranslated>false</matchTranslated>
</rule>
....
</rules>
</firewall>
<routing>
<staticRouting>
<defaultRoute>
<vnic>0</vnic>
<description>defaultGw on the external interface</description>
</defaultRoute>
<staticRoutes>
<route>
<vnic>0</vnic>
<type>user</type>
</route>
...
</staticRoutes>
</staticRouting>
<ospf>
<enabled>false</enabled>
</ospf>
</routing>
<highAvailability>
<declareDeadTime>6</declareDeadTime>
<logging>
144
VMware, Inc.
</logging>
</highAvailability>
<syslog>
<protocol>udp</protocol>
<serverAddresses>
</serverAddresses>
</syslog>
<ipsec>
<logging>
</logging>
<sites>
<site>
<name>site1</name>
<localId>10.112.2.40</localId>
<localIp>10.112.2.40</localIp>
<peerId>10.112.2.41</peerId>
<peerIp>10.112.2.41</peerIp>
<encryptionAlgorithm>aes256</encryptionAlgorithm>
<mtu>1500</mtu>
<enablePfs>true</enablePfs>
<dhGroup>dh2</dhGroup>
<localSubnets>
<subnet>192.168.10.0/24</subnet>
</localSubnets>
<peerSubnets>
<subnet>192.168.40.0/24</subnet>
</peerSubnets>
<psk>1234</psk>
<authenticationMode>psk</authenticationMode>
</site>
....
</sites>
<global>
<caCertificates/>
<crlCertificates/>
</global>
</ipsec>
<dhcp>
<staticBindings>
<staticBinding>
<autoConfigureDNS>true</autoConfigureDNS>
<bindingId>binding-1</bindingId>
<vnicId>1</vnicId>
<hostname>test</hostname>
<defaultGateway>192.168.10.1</defaultGateway>
<leaseTime>86400</leaseTime>
</staticBinding>
....
</staticBindings>
<ipPools>
<ipPool>
<poolId>pool-1</poolId>
<ipRange>192.168.10.2-192.168.10.5</ipRange>
VMware, Inc.
145
</ipPool>
....
</ipPools>
<logging>
</logging>
</dhcp>
<nat>
<natRules>
<natRule>
<ruleId>196610</ruleId>
<action>dnat</action>
<vnic>1</vnic>
<originalAddress>10.112.196.162</originalAddress>
<translatedAddress>192.168.10.3</translatedAddress>
<protocol>tcp</protocol>
<originalPort>80</originalPort>
<translatedPort>80</translatedPort>
</natRule>
....
</natRules>
</nat>
<featureConfig/>
</features>
<autoConfiguration>
<rulePriority>high</rulePriority>
<dnsClient>
</dnsClient>
<queryDaemon>
<port>5666</port>
</queryDaemon>
</edge>
Modifying NSX Edge Configuration

ReplacescurrentNSXEdgeconfiguration.
Example 8-5. Modify Edge configuration
Request:
PUT https://<nsxmgr-ip>/api//4.0/edges/{edgeId}
RequestBody:
<edge>
<id>edge-79</id>
<description>testEdge</description>
<name>testEdge</name>
146
VMware, Inc.
<fqdn>testEdge</fqdn>
<vnics>
<vnic>
<index>0</index>
<type>uplink</type>
<addressGroups>
</addressGroup>
<subnetPrefixLength>24</subnetPrefixLength> 
</addressGroup>
<subnetPrefixLength>64</subnetPrefixLength> 
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
</inShapingPolicy>
</outShapingPolicy>
</vnic>
</vnic>
.....
</vnics>
<appliances>
<appliance>
</appliance>
</appliances>
<cliSettings>
VMware, Inc.
147
</cliSettings>
<features>
<firewall>
<defaultPolicy>
</defaultPolicy>
<rules>
<rule>
<id>131078</id>
<name>rule1</name>
<source>
</source>
<destination/>
<application>
</application>
</rule>
....
</rules>
</firewall>
<routing>
<staticRouting>
<defaultRoute>
<vnic>0</vnic>
<description>defaultGw on the external interface</description>
</defaultRoute>
<staticRoutes>
<route>
<vnic>0</vnic>
<type>user</type>
</route>
...
</staticRoutes>
</staticRouting>
<ospf>
</ospf>
</routing>
<highAvailability>
<declareDeadTime>6</declareDeadTime>
<logging>
</logging>
</highAvailability>
<syslog>
<serverAddresses>
</serverAddresses>
</syslog>
<ipsec>
<logging>
148
VMware, Inc.
</logging>
<sites>
<site>
<name>site1</name>
<mtu>1500</mtu>
<localSubnets>
<subnet>192.168.10.0/24</subnet>
</localSubnets>
<peerSubnets>
<subnet>192.168.40.0/24</subnet>
</peerSubnets>
<psk>1234</psk>
</site>
....
</sites>
<global>
<caCertificates/>
<crlCertificates/>
</global>
</ipsec>
<dhcp>
<staticBindings>
<staticBinding>
<bindingId>binding-1</bindingId>
<vnicId>1</vnicId>
<hostname>test</hostname>
</staticBinding>
....
</staticBindings>
<ipPools>
<ipPool>
<ipRange>192.168.10.2-192.168.10.5</ipRange>
</ipPool>
....
</ipPools>
<logging>
</logging>
</dhcp>
<nat>
<natRules>
<natRule>
VMware, Inc.
149
<vnic>1</vnic>
</natRule>
....
</natRules>
</nat>
</features>
<autoConfiguration>
</edge>
wheregroupingObjectIdcanbecluster,network,etc.
Deleting NSX Edge

DeletesspecifiedEdgefromdatabase.Associatedappliancesarealsodeleted.
Example 8-6. Delete Edge
Request
DELETE https://<nsxmgr-ip>/api/4.0/edges/{edgeId}
Configuring Edge Services in Async Mode

YoucanconfigureEdgetoworkinasyncmode.Intheasyncmode,accepted commands return an Accepted status
and a taskId. To know the status of the task, you can check the status of that taskId.
TheadvantageoftheasyncmodeisthatAPIsarereturnedveryfastandactionslikevmdeployment,reboots,
publishtoEdgeappliance,etcaredonebehindthesceneunderthetaskId.
Toconfigureasyncmode,?async=trueattheendofany4.0serviceconfigurationURLforPOST,PUT,and
DELETEcalls.Withoutasyncmode,thelocationheaderinHTTPresponsehastheresourceIDwhereasin
asyncmode,locationheaderhasthejobID.
Query Async Job Status

Retrievesjobstatus(SUCCESS/FAILED/QUEUED/RUNNING/ROLLBACK),URIoftheresource,andIDof
theresourceasshowninoutputrepresentation.
Example 8-7. Query job status
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/jobs/<jobId>
ResponseBody:
<edgeJob>
<jobId>jobdata-2128</jobId>
<message>Deploying vShield Edge Virtual Machine TestEdge11-0</message>
<result>
<key>ResultURI</key>
<value>/api/4.0/edges/edge-4</value>
150
VMware, Inc.
</result>
<result>
<key>edgeId</key>
<value>edge-4</value>
</result>
</edgeJob>
Query all Jobs

Example 8-8. Query all jobs
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeid}/jobs?status=all
RequestBody:
<edgeJobs>
<edgeJob>
<status>COMPLETED</status>
<result>
<key>edgeId</key>
</result>
</edgeJob>
<edgeJob>
<result>
<key>edgeId</key>
</result>
</edgeJob>
<edgeJob>
Query active Jobs

Example 8-9. Query active jobs
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeid}/jobs?status=active
RequestBody:
<edgeJobs>
<edgeJob>
<message>Publishing configurations on vShield Edge Virtual Machine vm-65</message>
<result>
<key>edgeId</key>
</result>
</edgeJob>
</edgeJobs>
Configuring Certificates
vShieldEdgesupportsselfsignedcertificates,certificatessignedbyaCertificationAuthority(CA),and
certificatesgeneratedandsignedbyaCA.
VMware, Inc.
151
Working with Certificates

Allowsyoutomanageselfsignedcertificates.
Create Certificate
Createsasingleormultiplecertificates.
Example 8-10. Create self signed certificate
Request:
POST https://<vsm-ip>/api/2.0/services/truststore/certificate/<scopeId>
<trustObject>
<pemEncoding></pemEncoding>
<privateKey></privateKey>
<passphrase></passphrase>
</trustObject>
Create Certificate or Certificate Chain for CSR

Importsacertificateoracertificatechainagainstacertificatesigningrequest.
Example 8-11. Create certificate for CSR
Request:
POST https://<vsm-ip>/api/2.0/services/truststore/certificate?csrId=<csrId>
RequestBody:
<trustObject>
</trustObject>
Query Certificates
RetrievesthecertificateobjectforthespecifiedcertificateID.IfthecertificateIDisachain,multiplecertificate
objectsareretrieved.
Example 8-12. Query specific certificate
Request:
GET https://<vsm-ip>/api/2.0/services/truststore/certificate/<certificateId>
Example 8-13. Query all certificates for a scope

Request:
GET https://<vsm-ip>/api/2.0/services/truststore/certificate/scope/<scopeId>
Delete Certificate
Deletesthespecifiedcertificate.
Example 8-14. Delete certificate
Request:
152
VMware, Inc.
DELETE https://<vsm-ip>/api/2.0/services/truststore/certificate/<certificateId>
Working with Certificate Signing Requests (CSRs)

AllowsyoutomanageCSRs.
Create CSR
Example 8-15. Create CSR
Request:
POST https://<vsm-ip>/api/2.0/services/truststore/csr/<scopeId>
RequestBody:
<csr>
<subject>
<attribute>
<key>CN</key>
<value>VSM</value>
</attribute>
<attribute>
<key>O</key>
<value>VMware</value>
</attribute>
<attribute>
<key>OU</key>
<value>IN</value>
</attribute>
<attribute>
<key>C</key>
<value>IN</value>
</attribute>
</subject>
<algorithm>RSA</algorithm>
<keySize>1024</keySize>
</csr>
Create Self Signed Certificate for CSR

Example 8-16. Create self signed certificate for CSR
Request:
PUT https://<vsm-ip>/api/2.0/services/truststore/csr/<csrId>?noOfDays=<value>
Query CSRs
RetrievesspecifiedCSRorallCSRsforspecifiedscope.
Example 8-17. Query specific CSR
GET https://<vsm-ip>/api/2.0/services/truststore/csr/<csrId>
Example 8-18. Query CSRs for specific scope

GET https://<vsm-ip>/api/2.0/services/truststore/csr/scope/<scopeId>
RequestBody:
<csrs>
<csr>
VMware, Inc.
153
...
</csr>
<csr>
...
</csr>
...
</csrs>
Working with Certificate Revocation List (CRL)

AllowsyoutomanageCRLs.
Create a CRL
CreatesaCRLonthespecifiedscope.
Example 8-19. Create CRL
Request:
POST https://<vsm-ip>/api/2.0/services/truststore/crl/<scopId>
Request Body:
<trustObject>
</trustObject>
Query CRL
RetrievesallCRLscertificatesforthespecifiedcertificateorscope.
Example 8-20. Query CRL
RetrievecertificateobjectforthespecifiedcertificateID:
GET https://<vsm-ip>/api/2.0/services/truststore/crl/<crlId>
Retrieveallcertificatesforthespecifiedscope:
GET https://<vsm-ip>/api/2.0/services/truststore/crl/scope/<scopeId>
Delete CRL
DeletesthespecifiedCRL.
Example 8-21. Delete CRL
Request:
DELETE https://<vsm-ip>/api/2.0/services/truststore/crl/<crlId>
Working with NSX Edge Firewall

EdgeFirewallprovidesperimetersecurityfunctionalityincludingfirewall,NetworkAddressTranslation
(NAT)aswellasSitetositeIPSecandSSLVPNfunctionality.Thissolutionisavailableinthevirtualmachine
formfactorandcanbedeployedinaHighAvailabilitymode.
154
VMware, Inc.
Configure Firewall
ConfiguresfirewallforanEdgeandstoresthespecifiedconfigurationindatabase.Ifanyappliance(s)are
associatedwiththisedge,appliestheconfigurationtothese.WhileusingthisAPI,theusershouldsendthe
globalConfig,defaultPolicyandtherules.Ifeitherofthemarenotsent,thepreviousconfigifanyonthose
fieldswillberemovedandwillbechangedtothesystemdefaults.
Example 8-22. Configure firewall
Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/firewall/config
RequestBody:
<?xml version="1.0"?>
<firewall>
<defaultPolicy> <-- Optional. default is deny -->
<loggingEnabled>false</loggingEnabled> 
</defaultPolicy>
<globalConfig> 
<tcpPickOngoingConnections>false</tcpPickOngoingConnections> 
<tcpAllowOutOfWindowPackets>false</tcpAllowOutOfWindowPackets> 
<tcpSendResetForClosedVsePorts>true</tcpSendResetForClosedVsePorts> 
<dropInvalidTraffic>true</dropInvalidTraffic> 
<logInvalidTraffic>false</logInvalidTraffic> 
<tcpTimeoutOpen>30</tcpTimeoutOpen>

<tcpTimeoutEstablished>3600</tcpTimeoutEstablished> 
<tcpTimeoutClose>30</tcpTimeoutClose> 
<udpTimeout>60</udpTimeout>
<icmpTimeout>10</icmpTimeout>
<icmp6Timeout>10</icmp6Timeout>
<ipGenericTimeout>120</ipGenericTimeout> 
</globalConfig>
<rules>
<rule>

<name>rule1</name>

<source>

<vnicGroupId>vnic-index-5</vnicGroupId> 
<groupingObjectId>ipset-128</groupingObjectId> 
<ipAddress>1.1.1.1</ipAddress> 
</source>
<destination>
<groupingObjectId>ipset-126</groupingObjectId> 
<ipAddress>192.168.10.0/24</ipAddress> 
</destination>
<application>

<applicationId>application-155</applicationId> 
<service> 
<port>80</port> 
<sourcePort>1500</sourcePort> 
</service>
</application>
<matchTranslated>true</matchTranslated>




VMware, Inc.
155
<loggingEnabled>true</loggingEnabled> 

<description>comments</description>

</rule>
<rule>
...
</rule>
.....
</rules>
</firewall>
whereruleIduniquelyidentifiesaruleandshouldbespecifiedonlyforrulesthatarebeingupdated.
IfruleTagisspecified,therulesonEdgeareconfiguredusingthisuserinput.Otherwise,Edgeisconfigured
usingruleIdsgeneratedbyNSXManager.
Query Firewall Configuration

RetrievesfirewallconfigurationonspecifiedEdge.
Example 8-23. Query firewall
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/firewall/config
ResponseBody:
<firewall>
<defaultPolicy>
</defaultPolicy>
<globalConfig>
<tcpPickOngoingConnections>false</tcpPickOngoingConnections>
<tcpAllowOutOfWindowPackets>false</tcpAllowOutOfWindowPackets>
<tcpSendResetForClosedVsePorts>true</tcpSendResetForClosedVsePorts>
<dropInvalidTraffic>true</dropInvalidTraffic>
<logInvalidTraffic>false</logInvalidTraffic>
<tcpTimeoutEstablished>3600</tcpTimeoutEstablished>
<tcpTimeoutClose>30</tcpTimeoutClose>
<ipGenericTimeout>120</ipGenericTimeout>
</globalConfig>
<rules>
<rule>
<id>131079</id>
<name>firewall</name>
<ruleType>internal_high</ruleType>
<source>
<vnicGroupId>vse</vnicGroupId>
</source>
<description>firewall</description>
</rule>
<rule>
<id>131080</id>
156
VMware, Inc.
<name>ipsec</name>
<ruleType>internal_high</ruleType>
<source>
</source>
<destination>
</destination>
<application>
</application>
<description>ipsec</description>
</rule>
<rule>
<id>131077</id>
<name>name1</name>
<source>
<ipAddress>1.1.1.1</ipAddress> 
<ipAddress>2.2.2.2/24</ipAddress> 
<ipAddress>1.1.1.1-1.1.1.10</ipAddress> 
</source>
<destination>
<vnicGroupId>vse</vnicGroupId>
<vnicGroupId>external</vnicGroupId>
</destination>
<application> 
<service> 
<port>80</port>
</service>
</application>
</rule>
<rule>
<id>131078</id>
<name>name2</name>
<source>
</source>
<destination/>
<application>
</application>
</rule>
VMware, Inc.
157
<rule>
<id>131075</id>
<name>default rule for ingress traffic</name>
<ruleType>default_policy</ruleType>
<description>default rule for ingress traffic</description>
</rule>
</rules>
</firewall>
Append Firewall Rules

Addsoneormorerulesbelowtheexistingrulesintherulestable.
Example 8-24. Add firewall rule
POST https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/firewall/config/rules
RequestBody:
<rules>
<rule>
<name>rule1</name>

<source>
of these -->
</source>
<destination>
of these -->
</destination>
<application>
</application>

</rule>
<rule>
...
</rule>
Add a Firewall Rule Above a Specific Rule

YoucanaddaruleaboveaspecificrulebyindicatingitsruleID.Ifnouserrulesexistinthefirewallrulestable,
youcanspecifyruleId=0.IfyoudonotspecifyaruleIDorthespecifiedruleIDdoesnotexist,EdgeManager
displaysanerror.
Example 8-25. Add a rule above a specific rule
Request:
158
VMware, Inc.
POST https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/firewall/config/rules?aboveRuleId=<ruleId>
RequestBody:
<rule>
<name>rule1</name>

<source>
of these -->
</source>
<destination>
of these -->
</destination>
<application>
</application>

</rule>
Query Specific Rule

Example 8-26. Retrieve specific rule
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/firewall/config/rules/<ruleId>
ResponseBody:
<rule>
<name>new rule</name>
<source>
<vnicGroupId>vnic-index-5</vnicGroupId>
</source>
<destination>
</destination>
<loggingEnabled>true</loggingEnabled>
<description/>
</rule>
Modify Firewall Rule

YoucanmodifyarulebyspecifyingitsruleID.
Example 8-27. .Update specific rule
PUT https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/firewall/config/rules/<ruleId>
ResponseBody:
<rule>
VMware, Inc.
159
<name>rule1</name>

<source>
of these -->
</source>
<destination>
of these -->
of these -->
</destination>
<application>
</application>

</rule>
Delete a Firewall Rule

DeletestherulewiththespecifiedruleID.
Example 8-28. Delete firewall rule
RequestBody;
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/firewall/config/rules/<ruleId>
Delete Firewall Configuration

DeletesfirewallconfigurationforEdge.
Example 8-29. Delete firewall configuration
Request:
DELETE https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/firewall/config
Manage Global Firewall Configuration

Globalfirewallconfigurationallowsfinegrainedtuningoffirewallbehavioranditsstatefulsessiontimeouts.
Thedefaultsettingsoftheseparametersaresetfornormalstatefulfirewalloperation.Administratorsarenot
expectedtomodifythesedefaultsettingsunlesstosupportaspecificcustomscenario.
Query Global Firewall Configuration

Retrievesthefirewalldefaultpolicyforanedge.
160
VMware, Inc.
Example 8-30. Query global firewall configuration

Request:
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/firewall/config/global
ResponseBody:
<globalConfig>
<tcpPickOngoingConnections>false</tcpPickOngoingConnections>
<tcpAllowOutOfWindowPackets>false</tcpAllowOutOfWindowPackets>
<tcpSendResetForClosedVsePorts>true</tcpSendResetForClosedVsePorts>
<dropInvalidTraffic>true</dropInvalidTraffic>
<logInvalidTraffic>false</logInvalidTraffic>
<tcpTimeoutEstablished>3600</tcpTimeoutEstablished>
<tcpTimeoutClose>30</tcpTimeoutClose>
<ipGenericTimeout>120</ipGenericTimeout>
</globalConfig>
Modify Global Configuration

Configuresfirewallglobalconfigforanedge.Storesthespecifiedconfigurationindatabase.Ifany
appliance(s)areassociatedwiththisedge,appliestheconfigurationtothese.Doesnotchangethe
defaultPolicyandrules.
Example 8-31. Modify global firewall configuration
Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/firewall/config/global
ResponseBody:
<globalConfig> 
<tcpPickOngoingConnections>false</tcpPickOngoingConnections> 
<tcpAllowOutOfWindowPackets>false</tcpAllowOutOfWindowPackets> 
<tcpSendResetForClosedVsePorts>true</tcpSendResetForClosedVsePorts> 
<dropInvalidTraffic>true</dropInvalidTraffic> 
<logInvalidTraffic>false</logInvalidTraffic> 
<tcpTimeoutEstablished>3600</tcpTimeoutEstablished> 
<tcpTimeoutClose>30</tcpTimeoutClose> 
<ipGenericTimeout>120</ipGenericTimeout> 
</globalConfig>
Manage Default Firewall Policy

Defaultfirewallsettingsapplytotrafficthatdoesnotmatchanyoftheuserdefinedfirewallrules.Thedefault
Edgefirewallpolicyblocksallincomingtraffic.
Query Default Firewall Policy

RetrievesdefaultfirewallpolicyforthespecifiedEdge.
Example 8-32. Query default firewall configuration
Request:
VMware, Inc.
161
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/firewall/config/defaultpolicy
ResponseBody:
<firewallDefaultPolicy>
<action>ACCEPT</action>
</firewallDefaultPolicy>
Modify Default Firewall Policy

ConfiguresdefaultfirewallpolicyforthespecifiedEdge.
Example 8-33. Modify default firewall configuration
Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/firewall/config/defaultpolicy
ResponseBody:
<firewallDefaultPolicy>
<action>ACCEPT</action>
</firewallDefaultPolicy>
Query Firewall Statistics

Retrievesnumberofongoingconnectionsforthefirewallconfiguration.
Example 8-34. Query firewall statistics
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/firewall/statistics/dashboard/firewall?interval=<range>
ResponseBody:
<dashboardStatistics>
<meta>
<startTime>1336068000</startTime> 
<endTime>1336100700</endTime> 
<interval>300</interval>
</meta>
<data>
<firewall>
</firewall>
</data>
</dashboardStatistics>
whereinput range can be given in query parameter:

Default(whennotspecified):60mins(Onehour)
Thisinputiseither160minutesoroneDay|oneWeek|oneMonth|oneYear
Query Firewall Statistics for Rule

Retrievesstatisticsforarule.
162
VMware, Inc.
Example 8-35. Query statistics for a rule

Request:
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/firewall/statistics/{ruleId}
ResponseBody:
<firewallRuleStats>
<timestamp>1342317563</timestamp>
<connectionCount>0</connectionCount>
<packetCount>0</packetCount>
<byteCount>0</byteCount>
</firewallRuleStats>
Disable Firewall
FirewallcanbedisabledonlyonanxlargeEdge.
Example 8-36. Disable Firewall
Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/firewall/config
RequestBody:
<firewall><enabled>false</enabled></firewall>
Working with NAT

Configure NAT
NSXEdgeprovidesnetworkaddresstranslation(NAT)servicetoprotecttheIPaddressesofinternal(private)
networksfromthepublicnetwork.YoucanconfigureNATrulestoprovideaccesstoservicesrunningon
privatelyaddressedvirtualmachines.TherearetwotypesofNATrulesthatcanbeconfigured:SNATand
DNAT.WhenyoupostaNATconfiguration,alltherules(bothSNATandDNAT)mustbepostedtogether.
Otherwise,onlythepostedrulesareretained,andunpostedrulesaredeleted.
AllSNATandDNATrulesconfiguredbyusingRESTrequestsappearundertheNATtabfortheappropriate
EdgeEdgeintheEdgeManageruserinterfaceandinthevSphereClientplugin.
Example 8-37. Configure SNAT and DNAT rules for a Edge Edge
PUT https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/nat/config
<nat>
<natRules>
<natRule>

<vnic>0</vnic>
<loggingEnabled>true</loggingEnabled> 

<description>my comments</description> 

<translatedPort>3389</translatedPort> 

</natRule>
<natRule>
VMware, Inc.
163


<description>no comments</description> 
</natRule>
</natRules>
</nat>
Forthedatapathtowork,youneedtoaddfirewallrulestoallowtherequiredtrafficforIPaddressesandport
pertheNATrules.
Rules:
Youmustadd<icmpType>ifyouconfigureicmpastheprotocol.
TheoriginalAddressandtranslatedAddresselementscanbeenteredineitherofthesemethods:
<ipAddress>specifiedasasingleIPaddress,ahyphenseparatedIPaddressrange(forexample,
192.168.10.1-192.168.10.2555)orasubnetinCIDRnotation(198.168.10.1/24).
thekeywordany
TheoriginalPortandtranslatedPortparameterscanbeenteredinoneofthefollowingformats:thekeyword
any,theportnumberasaninteger,orarangeofportnumber,forexampleportX-portY.
YoucanaddmultipleSNATrulesbyenteringmultiple<type>snat</type>sectionsinthebody.
SNATdoesnotsupportportorprotocolparameters.
Loggingisdisabledbydefault.Toenablelogging,addan<enableLog>elementsettotrue.
Query NAT Rules for a Edge Edge

Example 8-38. Query SNAT and DNAT rules for a Edge Edge
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/nat/config
ResponseBody:
<nat>
<natRules>
<natRule>
<vnic>0</vnic>
<description>my comments</description>
</natRule>
<natRule>
<action>snat</action>
<vnic>1</vnic>
164
VMware, Inc.
<description>no comments</description>
<protocol>any</protocol>
<originalPort>any</originalPort>
<translatedPort>any</translatedPort
</natRule>
</natRules>
</nat>
Delete all NAT Rules

DeletesallSNATandDNATrulesforaEdgeEdge.Theautoplumbedrulescontinuetoexist.
Example 8-39. Delete NAT rules
Request:
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/nat/config
Add a NAT Rule above a Specific Rule

AddsaNATruleabovethespecifiedruleID.IfnoNATrulesexistintheNATrulestable,youcanspecify
ruleId=0.IfyoudonotspecifyaruleIDorthespecifiedruleIDdoesnotexist,EdgeManagerdisplaysanerror.
Example 8-40. Add a NAT rule above a specific rule
POST https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/nat/config/rules?aboveRuleId=<ruleId>
RequestBody:
<natRule>
<vnic>0</vnic>
</natRule>
Append NAT Rules

AppendsoneormorerulestothebottomoftheNATrulestable.
Example 8-41. Add NAT rules to the bottom of the rules table
POST https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/nat/config/rules
ResponseBody:
<natRules>
<natRule>
<vnic>0</vnic>
VMware, Inc.
165
</natRule>
</natRules>
wherevnicistheinternaloruplinkinterfaceoftheEdgeEdge(09).
Modify a NAT Rule

ReplacestheNATrulewiththespecifiedruleID.
Example 8-42. Replaces a NAT rule
PUT https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/nat/config/rules/ruleID
ResponseBody:
<natRule>
<vnic>0</vnic>
</natRule>
wherevnicistheinternaloruplinkinterfaceoftheEdgeEdge(09).
Delete a NAT Rule

DeletestherulewiththespecifiedruleID.
Example 8-43. Delete NAT rule
Request:
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/nat/config/rules/ruleID
Working with Routing

YoucanspecifystaticanddynamicroutingforeachNSXEdge.
Dynamicroutingprovidesthenecessaryforwardinginformationbetweenlayer2broadcastdomains,thereby
allowingyoutodecreaselayer2broadcastdomainsandimprovenetworkefficiencyandscale.NSXextends
thisintelligencetowheretheworkloadsresidefordoingEastWestrouting.Thisallowsmoredirectvirtual
machinetovirtualmachinecommunicationwithoutthecostlyortimelyneedtoextendhops.Atthesame
time,NSXalsoprovidesNorthSouthconnectivity,therebyenablingtenantstoaccesspublicnetworks.
Configure Routes
ConfiguresglobalConfig,staticRouting,OSPG,BGP,andISIS.
Example 8-44. Configure routes
PUT https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config
<routing>
166
VMware, Inc.
<logging>
</logging>
bgp -->
<ipPrefix>
</ipPrefix>
<ipPrefix>
<name>b</name>
</ipPrefix>
</ipPrefixes>
<staticRouting>
<staticRoutes> 
<route>
<vnic>0</vnic>
</route>
<route>
<vnic>1</vnic>
</route>
</staticRoutes>
<defaultRoute>

<vnic>0</vnic>
</defaultRoute>
</staticRouting>
<ospf>

<ospfAreas>
<ospfArea>
<authentication>
</authentication>
</ospfArea>
</ospfAreas>
<ospfInterfaces>
<ospfInterface>
<vnic>0</vnic>
</ospfInterface>
</ospfInterfaces>
<redistribution>
<rules>
VMware, Inc.
167
<rule>
<from>
<isis>true</isis>
<ospf>false</ospf>
<bgp>false</bgp>
</from>
</rule>
<rule>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>true</bgp>
</from>
</rule>
</rules>
</redistribution>
</ospf>
<isis>

</areaIds>
<isisInterfaces>
<isisInterface>
<vnic>1</vnic>
<metric>10</metric>
used -->
</isisInterface>
</isisInterfaces>
<redistribution>
<rules>
<rule>
<from>
<isis>false</isis>
<ospf>true</ospf>
<bgp>false</bgp>
</from>
</rule>
168
VMware, Inc.
<rule>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>true</bgp>
</from>
</rule>
</rules>
</redistribution>
</isis>
<bgp>

<enabled>true</enabled> 
<bgpNeighbours>
<bgpNeighbour>
<weight>60</weight>

<keepAliveTimer>60</keepAliveTimer> 

<bgpFilters>

<bgpFilter>
IPv4 prefixes -->
prefixes -->
</bgpFilter>
</bgpFilters>
</bgpNeighbour>
</bgpNeighbours>
<redistribution>
<rules>
<rule>
<from>
<isis>true</isis>
<ospf>true</ospf>
<bgp>false</bgp>
</from>
</rule>
<rule>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>false</bgp>
</from>
</rule>
</rules>
</redistribution>
</bgp>
VMware, Inc.
169
</routing>
Query Routes
Example 8-45. Retrieve routes
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config
ResponseBody:
<staticRouting>
<staticRoutes>
<route>
<vnic>0</vnic>
<mtu>1500</mtu> 
<ipPrefix>
</ipPrefix>
<ipPrefix>
<name>b</name>
</ipPrefix>
</ipPrefixes>
Query Global Route

RetrievesroutinginformationfromtheNSXManagerdatabaseforanedgewhichincludesthefollowing:
Defaultroutesettings
Staticrouteconfigurations
Example 8-48. Query global route

RequestBody:
Manage Static Routing

AddorquerystaticanddefaultroutesforsecifiedEdge.
Configure Static Routes

Configuresstaticanddefaultroutes.
Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config/static
RequestBody:
<staticRouting>
<staticRoutes>
<route>
<vnic>0</vnic>
</route>
<route>
<vnic>1</vnic>
VMware, Inc.
171
</route>
</staticRoutes>
<defaultRoute>
<vnic>0</vnic>
</defaultRoute>
</staticRouting>
Query Static Routes

Retrievesstaticanddefaultroutes.
Example 8-50. Query static routes
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config/static
ResponseBody:
<staticRouting>
<staticRoutes>
<route>
<vnic>0</vnic>
<mtu>1500</mtu>
<type>user</type>
</route>
<route>
<vnic>1</vnic>
<mtu>1500</mtu>
<type>user</type>
</route>
</staticRoutes>
<defaultRoute>
<vnic>0</vnic>
<mtu>1500</mtu>
</defaultRoute>
</staticRouting>
Delete Static Routes

DeletesbothstaticanddefaultroutingconfigurationstoredintheNSXManagerdatabase.
Example 8-51. Delete static routes
Request
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config/static
172
VMware, Inc.
Manage OSPF Routes for NSX Edge

NSXEdgesupportsOSPF,aninteriorgatewayprotocolthatroutesIPpacketsonlywithinasinglerouting
domain.Itgatherslinkstateinformationfromavailableroutersandconstructsatopologymapofthenetwork.
ThetopologydeterminestheroutingtablepresentedtotheInternetLayer,whichmakesroutingdecisions
basedonthedestinationIPaddressfoundinIPpackets.
OSPFroutingpoliciesprovideadynamicprocessoftrafficloadbalancingbetweenroutesofequalcost.An
OSPFnetworkisdividedintoroutingareastooptimizetraffic.AnareaisalogicalcollectionofOSPF
networks,routers,andlinksthathavethesameareaidentification.
AreasareidentifiedbyanAreaID.
Configure OSPF
Example 8-52. Configure OSPF
Request
PUThttps://<nsxmgrip>/api/4.0/edges/<edgeId>/routing/config/ospf
RequestBody:
<ospf>

<ospfAreas>
<ospfArea>
<authentication>
</authentication>
</ospfArea>
</ospfAreas>
<ospfInterfaces>
<ospfInterface>
<vnic>0</vnic>
</ospfInterface>
</ospfInterfaces>
<redistribution>
<rules>
<rule>
<from>
<isis>true</isis>
<ospf>false</ospf>
<bgp>false</bgp>
</from>
</rule>
<rule>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>true</bgp>
VMware, Inc.
173

</from>
</rule>
</rules>
</redistribution>
</ospf>
Query OSPF
Example 8-53. Query OSPF
Request
GEThttps://<nsxmgrip>/api/4.0/edges/<edgeId>/routing/config/ospf
RequestBody:
<ospf>
<ospfAreas>
<ospfArea>
<type>normal</type>
<authentication>
</authentication>
</ospfArea>
</ospfAreas>
<ospfInterfaces>
<ospfInterface>
<vnic>0</vnic>
<cost>10</cost>
</ospfInterface>
</ospfInterfaces>
<redistribution>
<rules>
<rule>
<id>1</id>
<from>
<isis>true</isis>
<ospf>false</ospf>
<bgp>false</bgp>
</from>
</rule>
<rule>
<id>0</id>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>true</bgp>
</from>
174
VMware, Inc.
</rule>
</rules>
</redistribution>
</ospf>
Delete OSPF
DeletesOSPFrouting.
Example 8-54. Delete OSPF
Request
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config/ospf
Manage ISIS Routes for NSX Edge

IntermediateSystemtoIntermediateSystem(ISIS)isaroutingprotocoldesignedtomoveinformationby
determiningthebestroutefordatagramsthroughapacketswitchednetwork.Atwolevelhierarchyisused
tosupportlargeroutingdomains.Alargedomainmaybedividedintoareas.Routingwithinanareais
referredtoasLevel1routing.RoutingbetweenareasisreferredtoasLevel2routing.ALevel2Intermediate
System(IS)keepstrackofthepathstodestinationareas.ALevel1ISkeepstrackoftheroutingwithinitsown
area.Forapacketgoingtoanotherarea,aLevel1ISsendsthepackettothenearestLevel2ISinitsownarea,
regardlessofwhatthedestinationareais.ThenthepackettravelsviaLevel2routingtothedestinationarea,
whereitmaytravelviaLevel1routingtothedestination.ThisisreferredtoasLevel12.
Configure ISIS
Example 8-55. Configure ISIS
Request
PUThttps://<nsxmgrip>/api/4.0/edges/<edgeId>/routing/config/isis
RequestBody:
<isis>
</areaIds>
<isisInterfaces>
<isisInterface>
<vnic>0</vnic>
<metric>10</metric>
used -->
</isisInterface>
</isisInterfaces>
VMware, Inc.
175
<redistribution>
<rules>
<rule>
<from>
<isis>false</isis>
<ospf>true</ospf>
<bgp>false</bgp>
</from>
</rule>
<rule>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>true</bgp>
</from>
</rule>
</rules>
</redistribution>
</isis>
Query ISIS
Example 8-56. Query ISIS
Request
GEThttps://<nsxmgrip>/api/4.0/edges/<edgeId>/routing/config/isis
RequestBody:
<isis>
<systemId>0004.c150.f1c0</systemId>
<areaIds>
</areaIds>
<isType>level-1-2</isType>
<domainPassword>vshield</domainPassword>
<isisInterfaces>
<isisInterface>
<vnic>0</vnic>
<helloMultiplier>3</helloMultiplier>
<metric>10</metric>
<circuitType>level-1-2</circuitType>
</isisInterface>
</isisInterfaces>
<redistribution>
176
VMware, Inc.
<rules>
<rule>
<id>1</id>
<from>
<isis>false</isis>
<ospf>true</ospf>
<bgp>false</bgp>
</from>
</rule>
<rule>
<id>0</id>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>true</bgp>
</from>
</rule>
</rules>
</redistribution>
</isis>
Delete ISIS
DeletesISISrouting.
Example 8-57. Delete ISIS
Request
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config/isis
Manage BGP Routes for NSX Edge

BorderGatewayProtocol(BGP)makescoreroutingdecisions.ItincludesatableofIPnetworksorprefixes
whichdesignatenetworkreachabilityamongautonomoussystems.Anunderlyingconnectionbetweentwo
BGPspeakersisestablishedbeforeanyroutinginformationisexchanged.Keepalivemessagesaresentoutby
theBGPspeakersinordertokeepthisrelationshipalive.Oncetheconnectionisestablished,theBGPspeakers
exchangeroutesandsynchronizetheirtables.
Configure BGP
Example 8-58. Configure BGP
Request
PUThttps://<nsxmgrip>/api/4.0/edges/<edgeId>/routing/config/bgp
RequestBody:
<bgp>
<enabled>true</enabled> 
<bgpNeighbours>
<bgpNeighbour>
VMware, Inc.
177
<weight>60</weight>

<bgpFilters>

<bgpFilter>
IPv4 prefixes -->
prefixes -->
</bgpFilter>
</bgpFilters>
</bgpNeighbour>
</bgpNeighbours>
<redistribution>
<rules>
<rule>
<from>
<isis>true</isis>
<ospf>true</ospf>
<bgp>false</bgp>
</from>
</rule>
<rule>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>false</bgp>
</from>
</rule>
</rules>
</redistribution>
</bgp>
Query BGP
Example 8-59. Query BGP
Request
GEThttps://<nsxmgrip>/api/4.0/edges/<edgeId>/routing/config/bgp
RequestBody:
<bgp>
<bgpNeighbours>
<bgpNeighbour>
<weight>60</weight>
178
VMware, Inc.
<bgpFilters>
<bgpFilter>
</bgpFilter>
<bgpFilter>
</bgpFilter>
</bgpFilters>
</bgpNeighbour>
</bgpNeighbours>
<redistribution>
<rules>
<rule>
<id>1</id>
<from>
<isis>true</isis>
<ospf>true</ospf>
<bgp>false</bgp>
</from>
</rule>
<rule>
<id>0</id>
<from>
<isis>false</isis>
<ospf>false</ospf>
<bgp>false</bgp>
</from>
</rule>
</rules>
</redistribution>
</bgp>
Delete BGP
DeletesBGProuting.
Example 8-60. Delete BGP
Request
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/routing/config/bgp
VMware, Inc.
179
Working with Load Balancer

TheNSXEdgeloadbalancerenablesnetworktraffictofollowmultiplepathstoaspecificdestination.It
distributesincomingservicerequestsevenlyamongmultipleserversinsuchawaythattheloaddistribution
istransparenttousers.Loadbalancingthushelpsinachievingoptimalresourceutilization,maximizing
throughput,minimizingresponsetime,andavoidingoverload.NSXEdgeprovidesloadbalancingupto
Layer7.
Youmapanexternal,orpublic,IPaddresstoasetofinternalserversforloadbalancing.Theloadbalancer
acceptsTCP,HTTP,orHTTPSrequestsontheexternalIPaddressanddecideswhichinternalservertouse.
Port8090isthedefaultlisteningportforTCP,port80isthedefaultportforHTTP,andport443isthedefault
portforHTTPs.
Configure Load Balancer

Theinputcontainsfiveparts:applicationprofile,virtualserver,pool,monitorandapplicationrule.
Example 8-61. Configure load balancer
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config
RequestBody:
<loadBalancer>

<enableServiceInsertion>false</enableServiceInsertion>

<accelerationEnabled>true</accelerationEnabled>

<logging>

<enable>true</enable>
<logLevel>debug</logLevel>

</logging>
<virtualServer>

<virtualServerId>virtualServer-1</virtualServerId>

<name>http_vip</name>

<description>http virtualServer</description>



<protocol>http</protocol>

<port>80</port>

<connectionLimit>123</connectionLimit>

<connectionRateLimit>123</connectionRateLimit>

<applicationProfileId>applicationProfile-1</applicationProfileId> 
<defaultPoolId>pool-1</defaultPoolId>










<!-<key>abcd</key> -->
<!-<name>abcd</name> -->
<!-<value>1234</value> -->




</virtualServer>
<virtualServer>
<name>https_vip</name>
<description>https virtualServer</description>
<protocol>https</protocol>
180
VMware, Inc.
<port>443</port>
<applicationProfileId>applicationProfile-2</applicationProfileId>
<accelerationEnabled>false</accelerationEnabled>
</virtualServer>
<virtualServer>
<name>tcp_transparent_vip</name>
<description>tcp virtualServer</description>
<port>1234</port>
</virtualServer>
<virtualServer>
<name>tcp_snat_vip</name>
<description>tcp snat virtualServer</description>
<port>1235</port>
</virtualServer>
<applicationProfile>
<name>http_application_profile</name>
<insertXForwardedFor>true</insertXForwardedFor>
<sslPassthrough>true</sslPassthrough>
<persistence>
<method>cookie</method>

<cookieName>JSESSIONID</cookieName>

<cookieMode>insert</cookieMode>

</persistence>
</applicationProfile>
<applicationProfileId>applicationProfile-2</applicationProfileId> 
<name>https_application_profile</name>

<persistence>

<method>ssl_sessionid</method>

</persistence>
<name>tcp_application_profile</name>
<insertXForwardedFor>false</insertXForwardedFor>
<pool>


<name>pool-http</name>

VMware, Inc.
181
<description>pool-http</description>

<transparent>false</transparent>
<algorithm>round-robin</algorithm>

<monitorId>monitor-1</monitorId>

<member>

<memberId>member-1</memberId>




<weight>1</weight>
<port>80</port>

<minConn>10</minConn>
<maxConn>100</maxConn>
<name>m1</name>

</member>
<member>
<weight>1</weight>
<port>80</port>
<name>m2</name>
<condition>enabled</condition>

</member>
</pool>
<pool>
<name>pool-https</name>
<description>pool-https</description>
<member>
<weight>1</weight>
<port>443</port>
<name>m3</name>
</member>
<member>
<weight>1</weight>
<port>443</port>
<name>m4</name>
</member>
</pool>
<pool>
<name>pool-tcp</name>
<description>pool-tcp</description>
<transparent>true</transparent>
<member>
<weight>1</weight>
<port>1234</port>
182
VMware, Inc.
<name>m5</name>
<monitorPort>80</monitorPort>
</member>
<member>
<weight>1</weight>
<port>1234</port>
<name>m6</name>
</member>
</pool>
<pool>
<name>pool-tcp-snat</name>
<description>pool-tcp-snat</description>
<member>
<weight>1</weight>
<port>1234</port>
<name>m7</name>
</member>
<member>
<weight>1</weight>
<port>1234</port>
<name>m8</name>
</member>
</pool>
<monitor>

<type>http</type>

<timeout>15</timeout>
<maxRetries>3</maxRetries>
<method>GET</method>

<url>/</url>

<name>http-monitor</name>









</monitor>
<monitor>
<type>https</type>
VMware, Inc.
183
<url>/</url>
<name>https-monitor</name>
</monitor>
<monitor>
<type>tcp</type>
<name>tcp-monitor</name>
</monitor>
</loadBalancer>configuration example2 to show HTTP/HTTPS Redirection, SSL Offloading, Content Switching, HTTP
HealthMonitor
<loadBalancer>
<logging>
</logging>
<applicationRule>
<applicationRuleId>applicationRule-1</applicationRuleId>

<name>traffic_ctrl_rule</name>

<script>acl srv1_full srv_conn(pool-http/m1) gt 50
acl srv2_full srv_conn(pool-http/m2) gt 50
use_backend pool-backup if srv1_full or srv2_full</script>

</applicationRule>
<applicationRule>
<name>redirection_rule</name>
<script>acl google_page url_beg /google
redirect location https://www.google.com/ if google_page</script>
</applicationRule>
<applicationRule>
<name>l7_rule</name>
<script>acl backup_page url_beg /backup
use_backend pool-backup if backup_page</script>
</applicationRule>
<virtualServer>
<name>http_redirection_vip</name>
<description>http redirection virtualServer</description>
<port>80</port>
</virtualServer>
<virtualServer>
<port>443</port>
184
VMware, Inc.

</virtualServer>
<name>https_redirection_application_profile</name>
<sslPassthrough>false</sslPassthrough>
<httpRedirect>

<to>https://10.117.35.171</to>

</httpRedirect>
<name>ssl_offloading_application_profile</name>


<sslPassthrough>false</sslPassthrough>
<clientSsl>

<clientAuth>ignore</clientAuth>

<ciphers>AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH</ciphers>

<serviceCertificate>certificate-4</serviceCertificate>

<caCertificate>certificate-3</caCertificate>

<crlCertificate>crl-1</crlCertificate>

</clientSsl>
<!-<serverSsl>
<ciphers>AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH</ciphers>
</serverSsl>
-->
<pool>
<member>
<weight>1</weight>
<port>80</port>
<name>m1</name>
</member>
<member>
<weight>1</weight>
<port>80</port>
<name>m2</name>
</member>
</pool>
<pool>
VMware, Inc.
185
<name>pool-backup</name>
<description>pool backup</description>
<member>
<weight>1</weight>
<port>80</port>
<name>m3</name>
</member>
<member>
<weight>1</weight>
<port>80</port>
<name>m4</name>
</member>
</pool>
<monitor>
<type>http</type>
<url>/</url>
</monitor>
</loadBalancer>
Forthedatapathtowork,youneedtoaddfirewallrulestoallowrequiredtrafficaspertheloadbalancer
configuration.
Query Load Balancer Configuration

Getscurrentloadbalancerconfiguration.
Example 8-62. Retrieve load balancer configuration
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config
ResponseBody:
SeeExample 861.
Delete Load Balancer Configuration

Example 8-63. Delete load balancer configuration
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config
186
VMware, Inc.
Manage Application profiles

Youcreateanapplicationprofiletodefinethebehaviorofaparticulartypeofnetworktraffic.After
configuringaprofile,youassociatetheprofilewithavirtualserver.Thevirtualserverthenprocessestraffic
accordingtothevaluesspecifiedintheprofile.Usingprofilesenhancesyourcontrolovermanagingnetwork
traffic,andmakestrafficmanagementtaskseasierandmoreefficient.
Append Application Profile

Addsanapplicationprofile.
Example 8-64. Append profile
Request:
POST https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/applicationprofiles
RequestBody:
<name>http_application_profile_2</name>
<persistence>
</persistence>
Modify Application Profile

Modifiesanapplicationprofile.
Example 8-65. Modify profile
Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/applicationprofiles/{applicationProfileId}
RequestBody:
<persistence>
</persistence>
Query Application Profile

Retrievesanapplicationprofile.
Example 8-66. Query profile
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/applicationprofiles/{applicationProfileId}
RequestBody:
VMware, Inc.
187
<persistence>
</persistence>
Query all Application Profiles

RetrievesallapplicationprofilesonEdge.
Example 8-67. Query profiles
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/applicationprofiles/
ResponseBody:
<loadBalancer>
<persistence>
</persistence>
<name>http_application_profile</name>
<persistence>
<method>ssl_sessionid</method>
</persistence>
<name>https_application_profile</name>
<name>tcp_application_profile</name>
</loadBalancer>
Delete Application Profile

Deletesanapplicationprofile.
Example 8-68. Delete profile
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/applicationprofiles/{applicationProfileId}
188
VMware, Inc.
Delete all Application Profiles

Deletesallapplicationprofile.
Example 8-69. Delete profiles
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/applicationprofiles
Manage Application Rules

You can write an application rule to directly manipulate and manage IP application traffic.
Append Application Rule

Addsanapplicationrule.
Example 8-70. Append rule
Request:
POST https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/applicationrules
RequestBody:
<applicationRule>
<name>redirection_rule</name>
<script>acl vmware_page url_beg /vmware
redirect location https://www.vmware.com/ if vmware_page</script>
</applicationRule>
Modify Application Rule

Modifiesanapplicationrule.
Example 8-71. Modify rule
Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/applicationrules/{applicationruleId}
RequestBody:
See Example 8-70.
Query Application Rule

Retrievesanapplicationrule.
Example 8-72. Query rule
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/applicationrules/{applicationruleId}
ResponseBody:
See Example 8-70.
Query all Application Rules

RetrievesallapplicationrulesonEdge.
VMware, Inc.
189
Example 8-73. Query rules

Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/applicationrules/{applicationruleId}
Delete Application Rule

Deletesanapplicationrule.
Example 8-74. Delete rule
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/applicationrules/{applicationruleId}
Delete all Application Rules

Deletesallapplicationrules.
Example 8-75. Delete rules
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/applicationrules
Manage Load Balancer Monitors

Youcreateaservicemonitortodefinehealthcheckparametersforaparticulartypeofnetworktraffic.When
youassociateaservicemonitorwithapool,thepoolmembersaremonitoredaccordingtotheservicemonitor
parameters.
Append Monitor
Addsaloadbalancermonitor.
Example 8-76. Append monitor
Request:
POST https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/monitors
RequestBody:
<monitor>
<type>http</type>
<url>/</url>
<name>http-monitor-2</name>
</monitor>
Modify Monitor
Modifiesaloadbalancermonitor.
Example 8-77. Modify monitor
Request:
190
VMware, Inc.
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/monitors/{monitorId}
RequestBody:
<monitor>
<type>http</type>
<url>/</url>
</monitor>
Query Monitor
Retrievesaloadbalancermonitor.
Example 8-78. Query monitor
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/monitors{monitorId}
ResponseBody:
<monitor>
<type>http</type>
<url>/</url>
</monitor>
Query all Monitors

Retrievesallloadbalancermonitors.
Example 8-79. Query monitors
Request:
POST https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/monitors
RequestBody:
<loadBalancer>
<monitor>
<type>http</type>
<url>/</url>
</monitor>
<monitor>
<type>https</type>
<url>/</url>
VMware, Inc.
191
<name>https-monitor</name>
</monitor>
<monitor>
<type>tcp</type>
<name>tcp-monitor</name>
</monitor>
</loadBalancer>
Delete Monitor
Deletesaloadbalancermonitor.
Example 8-80. Delete monitor
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/monitors/{monitorId}
Delete all Monitors

Deletesallloadbalancermonitors.
Example 8-81. Delete monitors
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/monitors
Manage Virtual Servers

You can add an NSX Edge internal or uplink interface as a virtual server.
Append Virtual Server

Addsavirtualserver.
Example 8-82. Append virtual server
Request:
POST https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/virtualservers
RequestBody:
<virtualServer>
<name>http_vip_2</name>
<description>http virtualServer 2</description>
<port>82</port>
</virtualServer>
192
VMware, Inc.
Query a Virtual Server

Retrievesspecifiedvirtualserverdetails.
Example 8-83. Query virtual server
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/virtualservers/virtualserverID
ResponseBody:
SeeExample 882.
Query all Virtual Servers

Retrievesallvirtualservers.
Example 8-84. Query virtual servers
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/virtualservers
ResponseBody:
<loadBalancer>
<virtualServer>
<description>http virtualServer</description>
<port>80</port>
</virtualServer>
<virtualServer>
<port>443</port>
<accelerationEnabled>false</accelerationEnabled>
</virtualServer>
<virtualServer>
<name>tcp_transparent_vip</name>
<description>tcp virtualServer</description>
<port>1234</port>
VMware, Inc.
193
</virtualServer>
<virtualServer>
<name>tcp_snat_vip</name>
<description>tcp snat virtualServer</description>
<port>1235</port>
</virtualServer>
</loadBalancer>
Delete a Virtual Server

Deletesspecifiedvirtualserver.
Example 8-85. Delete virtual server
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/virtualservers/virtualserverID
Delete all Virtual Server

Deletesallvirtualservers.
Example 8-86. Delete all virtual server
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/virtualservers
Manage Backend Pools

Youcanaddaserverpooltomanageandsharebackendserversflexiblyandefficiently.Apoolmanagesload
balancerdistributionmethodsandhasaservicemonitorattachedtoitforhealthcheckparameters.
Append Backend Pool

AddsaloadbalancerserverpooltothespecifiedNSXEdge.
Example 8-87. Append backend pool
Request:
POST https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/pools
RequestBody:
<pool>
<name>pool-tcp-snat-2</name>
<description>pool-tcp-snat-2</description>
194
VMware, Inc.
<member>
<weight>1</weight>
<port>1234</port>
<name>m5</name>
</member>
<member>
<weight>1</weight>
<port>1234</port>
<name>m6</name>
</member>
</pool>
Modify a Backend Pool

Updatesthespecifiedpool.
Example 8-88. Modify backend pool
Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/pools/poolID
RequestBody:
<pool>
<name>pool-tcp-snat-2</name>
<description>pool-tcp-snat-3</description>
<member>
<weight>1</weight>
<port>1234</port>
<name>m5</name>
</member>
<member>
<weight>1</weight>
<port>1234</port>
<name>m6</name>
</member>
</pool>
Query Backend Pool Details

Retrievesinformationaboutthespecifiedpool.
VMware, Inc.
195
Example 8-89. Get backend pool details

Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/pools/poolID
ResponseBody:
See Example Example 8-88.
Query all Backend Pools

GetsallbackendpoolsconfiguredforthespecifiedNSXEdge.
Example 8-90. Query all backend pools
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/pools
ResponseBody:
<loadBalancer>
<pool>
<type>slb</type>
<member>
<weight>1</weight>
<port>80</port>
<name>m1</name>
</member>
<member>
<weight>1</weight>
<port>80</port>
<name>m2</name>
</member>
</pool>
<pool>
<type>slb</type>
<name>pool-https</name>
<description>pool-https</description>
<member>
<weight>1</weight>
<port>443</port>
196
VMware, Inc.
<name>m3</name>
</member>
<member>
<weight>1</weight>
<port>443</port>
<name>m4</name>
</member>
</pool>
<pool>
<type>slb</type>
<name>pool-tcp</name>
<description>pool-tcp</description>
<member>
<weight>1</weight>
<port>1234</port>
<name>m5</name>
</member>
<member>
<weight>1</weight>
<port>1234</port>
<name>m6</name>
</member>
</pool>
<pool>
<type>slb</type>
<name>pool-tcp-snat</name>
<description>pool-tcp-snat</description>
<member>
<weight>1</weight>
<port>1234</port>
<name>m7</name>
</member>
<member>
VMware, Inc.
197
<weight>1</weight>
<port>1234</port>
<name>m8</name>
</member>
</pool>
</loadBalancer>
Delete a Backend Pool

Deletesthespecifiedpool.
Example 8-91. Delete backend pool
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/pools/poolID
Delete all Backend Pools

DeletesallbackendpoolsconfiguredforthespecifiedNSXEdge.
Example 8-92. Delete backend pool
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/config/pools
Query Statistics
Retrievesloadbalancerstatistics.
Example 8-93. Retrieve load balancer statistics
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/loadbalancer/statistics
ResponseBody:
<loadBalancerStatusAndStats>
<timeStamp>1359722922</timeStamp>
<pool>
<member>
<name>m1</name>
<status>UP</status>
<bytesIn>70771</bytesIn>
<bytesOut>74619</bytesOut>
<curSessions>0</curSessions>
<maxSessions>1</maxSessions>
<rate>0</rate>
<rateMax>17</rateMax>
<totalSessions>142</totalSessions>
</member>
<member>
198
VMware, Inc.
<name>m2</name>
<status>UP</status>
<rate>0</rate>
</member>
<status>UP</status>
<rate>0</rate>
</pool>
<virtualServer>
<status>OPEN</status>
<httpReqTotal>283</httpReqTotal>
<httpReqRate>0</httpReqRate>
<httpReqRateMax>34</httpReqRateMax>
<rate>0</rate>
<rateLimit>0</rateLimit>
</virtualServer>
<globalSite>
<name>BJ site</name>
<globalSiteId>site-3</globalSiteId>
<msgSent>3</msgSent>
<msgRecv>747</msgRecv>
<msgRate>0</msgRate>
<dnsReq>0</dnsReq>
<dnsResolved>0</dnsResolved>
</globalSite>
<globalIp>
<fqdn>www.company.com</fqdn>
<globalIpId>gip-3</globalIpId>
<dnsReq>0</dnsReq>
<dnsMiss>0</dnsMiss>
</globalIp>
<globalPool>
<name>www-primary</name>
<dnsReq>0</dnsReq>
<member>
<name>10.117.7.110</name>
<status>up</status>
<dnsHit>0</dnsHit>
<cpuUsage>3</cpuUsage>
<memUsage>91</memUsage>
<sessions>0</sessions>
VMware, Inc.
199
<curConn>14</curConn>
<sessLimit>0</sessLimit>
<sessRate>0</sessRate>
<totalThroughput>0</totalThroughput>
<packagesPerSec>0</packagesPerSec>
</member>
</globalPool>
<globalPool>
<name>www-primary</name>
<dnsReq>0</dnsReq>
<member>
<name>10.117.7.110</name>
<status>up</status>
<dnsHit>0</dnsHit>
<cpuUsage>3</cpuUsage>
<memUsage>91</memUsage>
<curConn>14</curConn>
<sessLimit>0</sessLimit>
<sessRate>0</sessRate>
<totalThroughput>0</totalThroughput>
<packagesPerSec>0</packagesPerSec>
</member>
</globalPool>
</loadBalancerStatusAndStats>
Update LoadBalancer Acceleration Mode

Example 8-94. Update acceleration mode
Request:
POST https://<nsxmgr-ip>/api/4.0/edges/{edgeId/loadbalancer/acceleration?enable=true/false
Update Load Balancer Member Condition

Example 8-95. Update member condition
Request:
POST https://<nsxmgr-ip>/api/4.0/edges/{edgeId/loadbalancer/config/members/{memberId}?enable=true/false
Working with DHCP

NSXEdgeprovidesDHCPservicetobindassignedIPaddressestoMACaddresses,helpingtopreventMAC
spoofingattacks.AllvirtualmachinesprotectedbyaNSXEdgecanobtainIPaddressesdynamicallyfromthe
NSXEdgeDHCPservice.
NSXEdgesupportsIPaddresspoolingandonetoonestaticIPaddressallocationbasedonthevCenter
managedobjectID(vmId)andinterfaceID(interfaceId)oftherequestingclient.
IfeitherbindingsorpoolsarenotincludedinthePUTcall,existingbindingsorpoolsaredeleted.
AllDHCPsettingsconfiguredbyRESTrequestsappearundertheNSXEdge>DHCPtabfortheappropriate
NSXEdgeintheNSXManageruserinterfaceandinvSphereClientplugin.
NSXEdgeDHCPserviceadherestothefollowingrules:
200
VMware, Inc.
ListensontheNSXEdgeinternalinterface(nonuplinkinterface)forDHCPdiscovery.
Asstatedabove,vmIdspecifiesthevc-moref-idofthevirtualmachine,andvnicIdspecifiestheindexofthe
vNicfortherequestingclient.Thehostnameisanidentificationofthebindingbeingcreated.ThishostName
isnotpushedasthespecifiedhostnameofthevirtualmachine.
Bydefault,allclientsusetheIPaddressoftheinternalinterfaceoftheNSXEdgeasthedefaultgateway
address.Tooverrideit,specifydefaultGatewayperbindingorperpool.Theclientsbroadcastand
subnetMaskvaluesarefromtheinternalinterfaceforthecontainernetwork.
leaseTimecanbeinfinite,oranumberofseconds.Ifnotspecified,thedefaultleasetimeis1day.
Loggingisdisabledbydefault.
Settingtheparameterenable=truestartstheDHCPservicewhileenable=falsestopstheservice.
BothstaticBindingandipPoolsmustbepartoftherequestbody.Else,theywillbedeletedifconfigured
earlier.
Configure DHCP
Example 8-96. Configure DHCP service
PUT https://<vsm-ip>/api/4.0/<edgeId>/dhcp/config
RequestBody:
<dhcp>
<enabled>true</enabled> 
<staticBindings>
<staticBinding>

<macAddress>12:34:56:78:90:AB</macAddress> 
<vmId>vm-111</vmId> 
<vnicId>1</vnicId> 
<hostname>abcd</hostname> 
<ipAddress>192.168.4.2</ipAddress> 
<defaultGateway>192.168.4.1</defaultGateway> 
<domainName>eng.vmware.com</domainName> 
<primaryNameServer>192.168.4.1</primaryNameServer> 
<secondaryNameServer>4.2.2.4</secondaryNameServer> 
<leaseTime>infinite</leaseTime> 
<autoConfigDNS>true</autpConfigDNS> 
</staticBinding>
</staticBindings>
<ipPools>
<ipPool>
<ipRange>192.168.4.192-192.168.4.220</ipRange> 
<defaultGateway>192.168.4.1</defaultGateway> 
<domainName>eng.vmware.com</domainName> 
<primaryNameServer>192.168.4.1</primaryNameServer> 
<secondaryNameServer>4.2.2.4</secondaryNameServer> 
<leaseTime>3600</leaseTime> 
<autoConfigDNS>true</autoConfigDNS> 
</ipPool>
</ipPools>
<logging> 
<enable>false</enable> 
VMware, Inc.
201
<logLevel>info</logLevel> 

</logging>
</dhcp>
NOTEIftheNSXEdgeautoConfiguration flagandautoConfigureDNS istrue,andtheprimaryNameServeror

secondaryNameServerparametersarenotspecified,NSXManagerappliestheDNSsettingstotheDHCP
configuration.
Query DHCP Configuration

GetstheDHCPconfigurationonaNSXEdgeincludingIPpoolandstaticbindingassignments.
Example 8-97. Get DHCP configuration
GET https://<vsm-ip>/api/4.0/<edgeId>/dhcp/config
ResponseBody:
<dhcp>
<staticBindings>
<staticBinding>
<vmId>vm-111</vmId>
<vnicId>1</vnicId>
<hostname>abcd</hostname>
<domainName>eng.vmware.com</domainName>
<primaryNameServer>192.168.4.1</primaryNameServer>
<secondaryNameServer>4.2.2.4</secondaryNameServer>
<leaseTime>infinite</leaseTime>
</staticBinding>
</staticBindings>
<ipPools>
<ipPool>
<ipRange>192.168.4.192-192.168.4.220</ipRange>
</ipPool>
</ipPools>
<logging>
</logging>
</dhcp>
Delete DHCP Configuration

DeletestheDHCPconfigurationandreversetheconfigurationbacktofactorydefaults.
Example 8-98. Delete DHCP configuration
Request:
DELETE https://<vsm-ip>/api/4.0/<edgeId>/dhcp/config
202
VMware, Inc.
Retrieve DHCP Lease Information

Example 8-99. Get DHCP lease information
GET https://<vsm-ip>/api/4.0/<edgeId>/dhcp/leaseinfo
ResponseBody:
<dhcpLeases>
<dhcpLeaseInfo>
<leaseInfo>
<uid>\001\000PV\265\204\207</uid>
<macAddress>00:50:56:b5:84:87</macAddress>
<clientHostname>vto-suse-dev</clientHostname>
<bindingState>active</bindingState>
<nextBindingState>free</nextBindingState>
<cltt>4 2012/01/19 05:24:50</cltt>
<starts>4 2012/01/19 05:24:50</starts>
<ends>4 2012/01/19 17:24:50</ends>
<hardwareType>ethernet</hardwareType>
</leaseInfo>
</dhcpLeaseInfo>
</dhcp>
Append IP Pool to DHCP Configuration

AppendsanIPpooltotheDHCPconfiguration.ReturnsapoolIDwithinaLocationHTTPheader.
POST https://<vsm-ip>/api/4.0/<edgeId>/dhcp/config/ippools
ResponseBody:
<ipPool>
<ipRange>192.168.5.2-192.168.5.20</ipRange>
</ipPool>
Append Static Binding to DHCP Configuration

AppendsastaticbindingtotheDHCPconfiguration.AstaticbindingIDisreturnedwithinaLocationHTTP
header.
Example 8-101. Add static binding
POST https://<vsm-ip>/api/4.0/<edgeId>/dhcp/config/bindings
ResponseBody:
<staticBinding>
<vmId>vm-157</vmId>
<vnicId>3</vnicId> 
<hostname>vShield-edge-2-0</hostname>
VMware, Inc.
203
<leaseTime>infinite</leaseTime>
</staticBinding>
Delete DHCP Pool

Deletesapoolspecifiedbypoolid.
Example 8-102. Delete DHCP pool
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/dhcp/config/ippools/<poolId>
Delete DHCP Static Binding

Deletesthestaticbindingspecifiedbybindingid.
Example 8-103. Delete DHCP static binding
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/dhcp/config/bindings/<bindingId>
Working with High Availability (HA)

HighAvailability(HA)ensuresthataNSXEdgeapplianceisalwaysavailableonyourvirtualizednetwork.
YoucanenableHAeitherwheninstallingNSXEdgeoronaninstalledNSXEdgeinstance.
IfasingleapplianceisassociatedwithNSXEdge,theapplianceconfigurationisclonedforthestandby
appliance.IftwoappliancesareassociatedwithNSXEdgeandoneofthemisdeployed,thisRESTcalldeploys
theremainingapplianceandpushHAconfigurationtoboth.
HAreliesonaninternalinterface.Ifaninternalinterfacedoesnotexist,thiscallwillnotdeploythesecondary
appliance,orpushHAconfigtoappliance.TheenablingofHAwillbedoneonceanavailableinternal
interfaceisadded.
IfthePUTcallincludesanemptyxml<highAvailability />orenabled=false,itactsasaDELETEcall.
Example 8-104. Configure high availability
Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/highavailability/config
RequestBody:
<highAvailability>
<vnic>1</vnic> 
<ipAddresses> 
</ipAddresses>
<declareDeadTime>6</declareDeadTime> 
<enabled>true<enabled> 
</highAvailability>
204
VMware, Inc.
Retrieve High Availability Configuration

Example 8-105. Get high availability configuration
Request:api/
GET https://<vsm-ip>/4.0/edges/<edgeId>/highavailability/config
RequestBody:
<highAvailability>
<vnic>1</vnic>
<ipAddresses>
</ipAddresses>
<declareDeadTime>6</declareDeadTime> 
</highAvailability>
Delete High Availability Configuration

NSXManagerdeletesthestandbyapplianceandremovestheHAconfigfromtheactiveappliance.
YoucanalsodeletetheHAconfigurationbyusingaPUTcallwithemptyxml<highAvailability/>orwith
<highAvailability><enabled>false</enabled></highAvailability>.
Example 8-106. Delete high availability configuration
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/highavailability/config
Working with Syslog

Youcanconfigureoneortworemotesyslogservers.NSXEdgeeventsandlogsrelatedtofirewalleventsthat
flowfromNSXEdgeappliancesaresenttothesyslogservers.
Configure Syslog
Configuressyslogservers.
Example 8-107. Configure syslog servers
Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/syslog/config
RequestBody:
<syslog>

<serverAddresses>

</serverAddresses>
</syslog>
Query Syslog
Retrievessyslogserverinformation.
VMware, Inc.
205
Example 8-108. Query syslog servers

Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/syslog/config
ResponseBody:
<syslog>

<serverAddresses>

</serverAddresses>
</syslog>
Delete Syslog
Deletessyslogservers.
Example 8-109. Delete syslog servers
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/syslog/config
Managing SSL VPN

WithSSLVPNPlus,remoteuserscanconnectsecurelytoprivatenetworksbehindaNSXEdgegateway.
Remoteuserscanaccessserversandapplicationsintheprivatenetworks.
Enable or Disable SSL VPN

EnablesordisablesSSLVPNontheNSXEdgeappliance.
Example 8-110. Enable or disable SSL VPN
Request:
POST https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/?enableService=true|False
Query SSL VPN Details

RetrievesSSLVPNdetails.
Example 8-111. Get SSL VPN details
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/
Manage Server Settings

Apply Server Settings
ConfiguresSSLVPNserveronport443usingthecertificatenamedservercertthatisalreadyuploadedonthe
NSXEdgeapplianceandthespecifiedcipher.
206
VMware, Inc.
Example 8-112. Apply server settings

Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/server/
RequestBody:
<?xml version="1.0" encoding=UTF-8?>
<serverSettings>
<serverAddresses>
<ipAddress>10.112.243.109</ipAddress> 
</serverAddresses>
<port>443</port> 

 
<cipherList>

<!RC4-MD5|AES128-SHA|AES256-SHA|DES-CBC3-SHA-->
<cipher>RC4-MD5</cipher>
<cipher>AES128-SHA</cipher>
<cipher>DES-CBC3-SHA</cipher>
</cipherList>
</serverSettings>
Query Server Settings

Getsserversettings.
Example 8-113. Apply server settings
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/server/
RequestBody:
<serverSettings>
<serverAddresses>
</serverAddresses>
<port>60003</port>
<certificateId>certificate-1</certificateId>
<cipherList>
</cipherList>
</serverSettings>
Configure Private Networks

Add Private Network
ConfiguresaprivatenetworkthattheadministratorwantstoexposetoremoteusersovertheSSLVPNtunnel.
Example 8-114. Add private network
Request:
POST https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/client/networkextension/privatenetworks/
RequestBody:
VMware, Inc.
207
<privateNetwork>
<description>This is a private network for UI-team</description>
<sendOverTunnel>

<ports>20-40</ports>

<optimize>false</optimize> 
</sendOverTunnel>

</privateNetwork>
Modify Private Network

ModifiesthespecifiedprivatenetworkintheSSLVPNserviceonNSXEdge.
Example 8-115. Add private network
Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/client/networkextension/privatenetworks/privateNetworkID
RequestBody:
<privateNetwork>
<sendOverTunnel>
<optimize>false</optimize>
</sendOverTunnel>
</privateNetwork>
Query Specific Private Network

GetsthespecifiedprivatenetworkprofileintheSSLVPNinstanceonNSXEdge.
Example 8-116. Query private network
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/client/networkextension/privatenetworks/privateNetworkID
RequestBody:
<privateNetwork>
<sendOverTunnel>
</sendOverTunnel>
</privateNetwork>
Query all Private Networks

GetsallprivatenetworkprofilesintheSSLVPNinstanceonNSXEdge.
Example 8-117. Query private network
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/client/networkextension/privatenetworks/
208
VMware, Inc.
RequestBody:
<privateNetwork>
<privateNetwork>
<onjectId>privatenetwork-1</objectId>
<description>This is a private network for pune-qa-team</description>
<sendOverTunnel>
<optimize>true</optimize>
</sendOverTunnel>
</privateNetwork>
</privateNetwork>
Delete Private Network

DeletesthespecifieddynamicIPaddressconfigurationfromtheSSLVPNinstanceonNSXEdge.
Example 8-118. Delete private network
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/client/networkextension/
privatenetworks/privatenetworkID
Delete all Private Networks

DeletesalldynamicIPaddressconfigurationsfromtheSSLVPNinstanceonNSXEdge.
Example 8-119. Delete private network
Request:
privatenetworks/
Apply All Private Networks

UpdatesallprivatenetworkconfigurationsofNSXEdgewiththegivenlistofprivatenetworkconfigurations.
Iftheconfigurationispresent,itisupdated;ifitisnotpresent,anewprivatenetworkconfigurationiscreated.
ExistingconfigurationsnotincludedintheRESTcallaredeleted.
Example 8-120. Apply all private networks
Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/client/networkextension/
privatenetworks/
Configure Web Resource

Add Portal Web Resource
Adds a web access server that the remote user can connect to via a web browser.
Example 8-121. Add portal web resource
Request:
VMware, Inc.
209
POST https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/webresources/
RequestBody:
<webResource>
<name>VMware</name>
<url>http://www.vmware.com</url>
<method name="POST">
<data>username=stalin </data>
</method>
<description>Click here to visit the corporate intranet Homepage </description>
</webResource>
Modify Portal Web Resource

Modifies the specified web access server.
Example 8-122. Modify portal web resource
Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/webresources/ID
RequestBody:
<webResource>
<name>VMware</name>
</method>
</webResource>
Query Portal Web Resource

Gets the specified web access server.
Example 8-123. Get specific portal web resource
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/webresources/ID
ResponseBody:
<webResource>
<name>VMware</name>
</method>
</webResource>
Query all Web Resources

GetsallwebresourcesontheSSLVPNinstance.
210
VMware, Inc.
Example 8-124. Get portal web resource

Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/webresources/
ResponseBody:
<webResources>
<webResource>
<objectId>webresource-1</objectId>
<name>VMware</name>
</method>
</webResource>
</webResources>
Delete Portal Web Resource

Deletes the specified web access server.
Example 8-125. Delete specific portal web resource
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/webresources/ID
Deletes all Web Resources

DeletesallwebresourcesontheSSLVPNinstance.
Example 8-126. Deletes all portal web resources
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/webresources/
Apply All Web Resources

UpdateswebresourceconfigurationsofNSXEdgewiththegivenlistofwebresourceconfigurations.Ifthe
configurationispresent,itisupdated;ifitisnotpresent,anewwebresourceconfigurationiscreated.Existing
configurationsnotincludedintheRESTcallaredeleted.
Example 8-127. Apply all private networks
Request:
privatenetworks/
Configure Users
Add User
Addsanewportaluser.
VMware, Inc.
211
Example 8-128. Add a user

Request:
POST https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/auth/localserver/users/
RequestBody:
<user>
<userId>stalin</userId>
<password>apple@123</password>
<firstName>STALIN</firstName>
<lastName>RAJAKILLI</lastName>
<description>This user belong to vsm team</description>
<disableUserAccount>false</disableUserAccount>

<passwordNeverExpires>true</passwordNeverExpires>
<allowChangePassword>
<changePasswordOnNextLogin>false</changePasswordOnNextLogin> 
</allowChangePassword>
</user>
Modify User
Modifiesthespecifiedportaluser.
Example 8-129. Modify user
Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/auth/localserver/users/
RequestBody:
<user>
</user>
Query User Details

Getsinformationaboutthespecifieduser.
Example 8-130. Query user
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/auth/localserver/users/userID
ResponseBody:
<users>
<user>
<firstName>Bob</firstName>
<lastName>Weber</lastName>
212
VMware, Inc.
</user>
Delete User
Deletesspecifieduser.
Example 8-131. Delete user
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/auth/localserver/users/userID
Delete all Users

DeletesallusersonthespecifiedSSLVPNinstance.
Example 8-132. Delete all user
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/auth/localserver/users/
Apply all Users

UpdatesallusersofNSXEdgewiththegivenlistofusers.Iftheuserispresent,itisupdated;ifitisnotpresent,
anewuseriscreated.ExistingusersnotincludedintheRESTcallaredeleted.
Example 8-133. Apply all users
Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/auth/localusers/users
RequestBody:
<users>
<user>
<firstName>Bob</firstName>
<lastName>Weber</lastName>
<changePasswordOnNextLogin>false</changePasswordOnNextLogin>
</user>
Configure IP Pool
You can add, edit, or delete an IP pool.
VMware, Inc.
213
Add IP Pool
CreatesanIPpoolthatwillbeusedtoassignIPaddresstoremoteusers.
Request:
POST https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/client/networkextension/ippools/
RequestBody:
<ipAddressPool>
<description>description</description>
<ipRange>10.112.243.11-10.112.243.57</ipRange>
<netmask>255.0.0.0</netmask>
<primaryDns>192.168.10.1</primaryDns


<dnsSuffix></dnsSuffix>
<winsServer>10.112.243.201</winsServer>
</ipAddressPool>
Modify IP Pool
ModifiesthespecifiedIPpool.
Example 8-135. Modify IP pool
Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/client/networkextension/ippools/ippoolID
RequestBody:
<ipAddressPool>
<ipRange>10.112.243.11-10.112.243.57</ipRange>
</ipAddressPool>
Query IP Pool
GetsdetailsoftheIPpool.
Example 8-136. Get IP pool
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/client/networkextension/ippools/ippoolID
ResponseBody:
<ipAddressPool>
<objectId>ipPool-1</objectId>
<ipRange>10.112.243.11-10.112.243.57</ipRange>
214
VMware, Inc.


</ipAddressPool>
Query all IP Pools

GetsallIPpoolsconfiguredontheSSLVPNinstance.
Example 8-137. Gets all IP pools
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/client/networkextension/ippools/
ResponseBody:
<ipAddressPool>
<objectId>ipPool-1</objectId>
<ipRange>10.112.243.11-10.112.243.57</ipRange>


</ipAddressPool>
Delete IP Pool
DeletesthespecifiedIPpool.
Example 8-138. Delete IP pool
Request:
ippools/ippoolID
Deletes all IP Pools

DeletesallIPpoolsontheSSLVPNinstance.
Example 8-139. Deletes all IP pools
Request:
ippools/
Apply all IP Pools

UpdatesallIPpoolsofNSXEdgewiththegivenlistofusers.IftheIPpoolispresent,itisupdated;ifitisnot
present,anewIPpooliscreated.ExistingpoolsnotincludedintheRESTcallaredeleted.
VMware, Inc.
215
Example 8-140. Apply IP pools

Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/client/networkextension/ippools/
RequestBody:
<ipAddressPools>
<ipAddressPool>
<ipRange>10.112.243.11-10.112.243.57</ipRange>
</ipAddressPool>
<ipAddressPools>
Configure Network Extension Client Parameters

Apply Client Configuration
Setsadvancedparametersforfullaccessclientconfigurationssuchaswhetherclientshouldautoreconnect
incaseofnetworkfailuresornetworkunavailability,orwhethertheclientshouldbeuninstalledafterlogout.
Example 8-141. Apply IP pools
Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/client/networkextension/clientconfig/
RequestBody:
<clientConfiguration>
<autoReconnect>true</autoReconnect>
<fullTunnel>

<excludeLocalSubnets>true</excludeLocalSubnets> 
<gatewayIp>10.112.243.11</gatewayIp>
</fullTunnel>
<upgradeNotification>false</upgradeNotification> 
</clientConfiguration>
Get Client Configuration

Getsinformationaboutthespecifiedclient.
Example 8-142. Get client configuration
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/client/networkextension/clientconfig/
ResponseBody:
<autoReconnect>true</autoReconnect> 
<tunnelConfiguration>
<excludeLocalSubnets>true</excludeLocalSubnets> 
</tunnelConfiguration>
216
VMware, Inc.
<upgradeNotification>false</upgradeNotification> 

Configure Network Extension Client Installation Package

You can add, delete, or edit an installation package for the SSL client.
Add Client Installation Package

Createssetupexecutables(installers)forfullaccessnetworkclients.Thesesetupbinariesarelaterdownloaded
byremoteclientsandinstalledontheirsystems.Theprimaryparametersneededtoconfigurethissetupare
hostnameofthegateway,anditsportandaprofilenamewhichisshowntotheusertoidentifythis
connection.Administratorcanalsosetfewotherparameterssuchaswhethertoautomaticallystartthe
applicationonwindowslogin,hidethesystemtrayiconetc.
Example 8-143. Add installation package
Request:
POST https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/client/networkextension/installpackages/
RequestBody:
<clientInstallPackage>
<profileName>client</profileName>
<gatewayList>
<gateway>
<port>443</port> 
</gateway>
</gatewayList>
<startClientOnLogon>false</startClientOnLogon> 
<hideSystrayIcon>true</hideSystrayIcon> 
<rememberPassword>true</rememberPassword> 
<silentModeOperation>true</silentModeOperation> !--optional. Default is false-->
<silentModeInstallation>false</silentModeInstallation> 
<hideNetworkAdaptor>false</hideNetworkAdaptor> 
<createDesktopIcon>true</createDesktopIcon> 
<enforceServerSecurityCertValidation>false</enforceServerSecurityCertValidation> 
<createLinuxClient>false</createLinuxClient> 
<createMacClient>false</createMacClient> 
<description>windows client</description>
<enabled>true</enabled> 
</clientInstallPackage>
Modify Client Installation Package

Modifiesthespecifiedinstallationpackage.
Example 8-144. Modify installation package
Request:
installpackages/ID
RequestBody:
<gatewayList>
<gateway>
VMware, Inc.
217

</gateway>
</gatewayList>
<startClientOnLogon>false</startClientOnLogon>
<hideSystrayIcon>true</hideSystrayIcon>
<rememberPassword>true</rememberPassword>
<silentModeOperation>true</silentModeOperation>
<silentModeInstallation>false</silentModeInstallation> 
<hideNetworkAdaptor>false</hideNetworkAdaptor>
<createDesktopIcon>true</createDesktopIcon>
<enforceServerSecurityCertValidation>false</enforceServerSecurityCertValidation>
Default is true-->
<createLinuxClient>false</createLinuxClient>
<createMacClient>false</createMacClient>

<portalTitle>Pepsi Remote Access</portalTitle>
<companyName>pepsi, Inc.</companyName>

<logoBackgroundColor>FFFFFF</logoBackgroundColor>
<titleColor>996600</titleColor>
<topFrameColor>000000</topFrameColor>
<menuBarColor>999999</menuBarColor>
<rowAlternativeColor>FFFFFF</rowAlternativeColor>
<bodyColor>FFFFFF</bodyColor>
<rowColor>F5F5F5</rowColor>
</layout>
Query Portal Layout

getstheportallayoutconfiguration.
VMware, Inc.
221
Example 8-157. Query layout configuration

Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/layout/
ResponseBody:
<layout>

<portalTitle>Pepsi Remote Access</portalTitle>
<companyName>pepsi, Inc.</companyName>

<logoBackgroundColor>FFFFFF</logoBackgroundColor>
<titleColor>996600</titleColor>
<topFrameColor>000000</topFrameColor>
<menuBarColor>999999</menuBarColor>
<rowAlternativeColor>FFFFFF</rowAlternativeColor>
<bodyColor>FFFFFF</bodyColor>
<rowColor>F5F5F5</rowColor>
</layout>
Configure Authentication Parameters

Youcanaddanexternalauthenticationserver(AD,LDAP,Radius,orRSA)whichisboundtotheSSL
gateway.Allusersintheboundedauthenticatedserverwillbeauthenticated.
Upload RSA Config File

UploadstheRSAconfigurationfiletoNSXManager.
Example 8-158. Upload RSA config file
Request:
POST https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/auth/settings/rsaconfigfile/
Apply Authentication Configuration

Setsauthenticationprocessforremoteusers.Theadministratorspecifieswhetherusernamepasswordbased
authenticationshouldbeenabledandthelistanddetailsofauthenticationserverssuchasactivedirectory,
ldap,radiusetc.Theadministratorcanalsoenableclientcertificatebasedauthentication.
Example 8-159. Apply Authentication Configuration
Request:edgeId
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/auth/settings/
RequestBody:
<authenticationConfig>
<passwordAuthentication>
<authenticationTimeout>1</authenticationTimeout>


<primaryAuthServers>
<com.vmware.vshield.edge.sslvpn.dto.LdapAuthServerDto>
<ip>1.1.1.1</ip>
<port>90</port>

<timeOut>20</timeOut>

<enableSsl>false</enableSsl>
<searchBase>searchbasevalue</searchBase>
222
VMware, Inc.
<bindDomainName>binddnvalue</bindDomainName>
<bindPassword>password</bindPassword>

<loginAttributeName>cain</loginAttributeName> 
<searchFilter>found</searchFilter>


</com.vmware.vshield.edge.sslvpn.dto.LdapAuthServerDto>
<com.vmware.vshield.edge.sslvpn.dto.RadiusAuthServerDto>
<ip>3.3.3.3</ip>
<port>90</port>

<secret>struct9870</secret>
<nasIp>1.1.1.9</nasIp>

<retryCount>10</retryCount>
</com.vmware.vshield.edge.sslvpn.dto.RadiusAuthServerDto>
<com.vmware.vshield.edge.sslvpn.dto.LocalAuthServerDto>

<passwordPolicy>

<minLength>1</minLength>
<maxLength>1</maxLength>
<minAlphabets>0</minAlphabets>

<minDigits>0</minDigits>

<minSpecialChar>1</minSpecialChar>

<allowUserIdWithinPassword>false</allowUserIdWithinPassword> 
<passwordLifeTime>20</passwordLifeTime>

<expiryNotification>1</expiryNotification>
</passwordPolicy>
<accountLockoutPolicy>

<retryDuration>3</retryDuration>

<lockoutDuration>3</lockoutDuration>
</accountLockoutPolicy>
</com.vmware.vshield.edge.sslvpn.dto.LocalAuthServerDto>

<com.vmware.vshield.edge.sslvpn.dto.RsaAuthServerDto>
<sourceIp>1.2.2.3</sourceIp>
</com.vmware.vshield.edge.sslvpn.dto.RsaAuthServerDto> -->
</primaryAuthServers>
<secondaryAuthServer>

<com.vmware.vshield.edge.sslvpn.dto.AdAuthServerDto>
<ip>1.1.1.1</ip>
<port>90</port>


<loginAttributeName>cain</loginAttributeName>

<terminateSessionOnAuthFails>false</terminateSessionOnAuthFails> 
</com.vmware.vshield.edge.sslvpn.dto.AdAuthServerDto>
</secondaryAuthServer>
</passwordAuthentication>
</authenticationConfig>
Query Authentication Configuration

Getsinformationaboutthespecifiedauthenticationserver.
VMware, Inc.
223
Example 8-160. Query Authentication Configuration

Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/auth/settings/
ResponseBody:
<com.vmware.vshield.edge.sslvpn.dto.AuthenticationConfigurationDto>
<ip>1.1.1.1</ip>
<port>90</port>
<ip>1.1.1.1</ip>
<port>90</port>
<terminateSessionOnAuthFails>false</terminateSessionOnAuthFails>
</authenticationConfig>
Configure SSL VPN Advanced Configuration

Apply advanced configuration
Appliesadvancedconfiguration.
Example 8-161. Apply advanced configuration
Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/advancedconfig/
RequestBody:
<advancedConfig>
<enableCompression>false</enableCompression>
<forceVirtualKeyboard>false</forceVirtualKeyboard> 
<preventMultipleLogon>true</preventMultipleLogon> 
<randomizeVirtualkeys>false</randomizeVirtualkeys> 
<timeout>

<forcedTimeout>16</forcedTimeout>

<sessionIdleTimeout>10</sessionIdleTimeout>

224
VMware, Inc.
</timeout>
<clientNotification></clientNotification>
<enablePublicUrlAccess>false</enablePublicUrlAccess> 
<enableLogging>false</enableLogging>
</advancedConfig>
Query Advanced Configuration

RetrievesSSLVPNadvancedconfiguration.
Example 8-162. Query advanced configuration
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/advancedconfig/
ResponseBody:
<advancedConfig>
<forceVirtualKeyboard>false</forceVirtualKeyboard> 
<preventMultipleLogon>true</preventMultipleLogon> 
<randomizeVirtualkeys>false</randomizeVirtualkeys> 
<timeout>



</timeout>
<enablePublicUrlAccess>false</enablePublicUrlAccess> 
</advancedConfig>
Working with Active Clients

YoucanretrievealistofactiveclientsfortheSSLVPNsessionanddisconnectaspecificclient.
Query Active Clients

RetrievesalistofactiveclientsfortheSSLVPNsession.
Example 8-163. Query active clients
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/activesessions/
ResponseBody:
<activeSessions>
<activeSession>
<sessionId>488382</sessionId>
<sessionType>PHAT</sessionType>
<userName>demo</userName>
<startTime>2011-09-24-06:00</startTime>
<upTime>101400</upTime>
<idleTime>2</idleTime>
<totalNonTcpBytesReceived>6576</totalNonTcpBytesReceived>
<totalTcpBytesReceived>30816</totalTcpBytesReceived>
<totalNonTcpBytesSent>0</totalNonTcpBytesSent>
<totalTcpBytesSent>152722</totalTcpBytesSent>
<clientInternalIp>1.0.192.10</clientInternalIp>
<clientVirtualIP>192.168.27.20</clientVirtualIP>
<clientExternalNatIp>10.112.243.227</clientExternalNatIp>
VMware, Inc.
225
<clientExternalNatPort>50498</clientExternalNatPort>
<totalConnections>2</totalConnections>
<totalActiveConnection>4</totalActiveConnection>
</activeSession>
</activeSessions>
Disconnect Active Client

Disconnectsanactiveclient.
Example 8-164. Disconnect active client
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/activesessions/sessionId
Manage Logon and Logoff scripts

You can bind a login or logoff script to the NSX Edge gateway.
Upload Script
Youcanaddmultipleloginorlogoffscripts.Forexample,youcanbindaloginscriptforstartingInternet
Explorerwithgmail.com.WhentheremoteuserlogsintotheSSLclient,InternetExploreropensup
gmail.com.
TheuploadscriptreturnsascriptfileIDwhichisusedtoconfigurethefileparameters.
Example 8-165. Upload script
Request:
POST https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/script/file/
Configure Script Parameters

Configuresparametersassociatedwiththeuploadedscriptfile.
Example 8-166. Add script parameters
Request:
POST https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/script/
RequestBody:
<logonLogoffScript>
<scriptFileId>logonlogoffscriptfile-12</scriptFileId> 
<type>BOTH</type>
<description>Testing modify script</description>

</logonLogoffScript>
Modify Script Configuration

ModifiestheparametersassociatedwiththespecifiedscriptfileID.
Example 8-167. Modify script parameters
Request:
226
VMware, Inc.
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/script/scriptFileId
RequestBody:
<logonLogoffScript>
<scriptFileId>logonlogoffscriptfile-12</scriptFileId>
<type>BOTH</type>
<description>Testing modify sscript</description>
Query Script Configuration

RetrievesparametersassociatedwiththespecifiedscriptfileID.
Example 8-168. Get script parameters
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/script/scriptFileId
ResponseBody:
<logonLogoffScript>
<objectId>logonlogoffscript-1</objectId>
<type>BOTH</type>
<description>Testing modify script</description>
<scriptFileUri>https://vsm-ip/api/4.0/edges/edge-id/sslvpn/config/script/file/scriptFileId/</scriptFileUri>
Query All Script Configurations

RetrievesallscriptconfigurationsforthespecifiedNSXEdge.
Example 8-169. Get all script parameters
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/script/
ResponseBody:
<logonLogoffScript>
<logonLogoffScript>
<type>BOTH</type>
<description>Testing modify sscript</description>
Delete Script Configuration

DeletestheparametersassociatedwiththespecifiedscriptfileID.
Example 8-170. Delete script parameters
Request:
VMware, Inc.
227
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/script/scriptFileId
Delete All Script Configuragtions

DeletesallscriptconfigurationsforthespecifiedNSXEdge.
Example 8-171. Delete script parameters
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/script/
Apply All Script Configurations

UpdatesallscriptconfigurationsonthespecifiedNSXEdgewiththegivenlistofconfigurations.Ifthe
configurationispresent,itisupdated;ifitisnotpresent,anewconfigurationiscreated.Existing
configurationsnotincludedintheRESTcallaredeleted.
Example 8-172. Apply script configurations
Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/script/
RequestBody:
<logonLogoffScript>
<logonLogoffScript>
<objectId>logonlogoffscript-1</objectId>
<type>BOTH</type>
<description>This script will run on both login and logoff of phat client</description>
Reconfigure SSL VPN

PushestheentireSSLVPNconfigurationtothespecifiedNSXEdgeinasinglecall.
Example 8-173. Reconfigure SSL VPN
Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/
RequestBody:
<sslvpnConfig>
<logging> 
</logging>
<serverSettings>
<ip>10.112.243.109</ip>
<port>443</port>




<cipherList> 
228
VMware, Inc.
</cipherList>
</serverSettings>
<privateNetworks>
<privateNetwork>
<sendOverTunnel>


</sendOverTunnel>
</privateNetwork>
</privateNetworks>
<users>
<user>
</user>
</users>
<ipAddressPools>
<ipAddressPool>
<ipRange>10.112.243.11-10.112.243.57</ipRange>
</ipAddressPool>
</ipAddressPools>
<gatewayList>
<gateway>
<port>443</port>

</gateway>
</gatewayList>

</clientInstallPackages>
<webResources>
<webResource>
VMware, Inc.
229
<name>VMware</name>
</method>
</webResource>
</webResources>
<fullTunnel>
<excludeLocalSubnets>true</excludeLocalSubnets>
</fullTunnel>
<upgradeNotification>false</upgradeNotification>
<advancedConfig>
<forceVirtualKeyboard>false</forceVirtualKeyboard>
<preventMultipleLogon>true</preventMultipleLogon>
<randomizeVirtualkeys>false</randomizeVirtualkeys>
<timeout>

</timeout>
<enablePublicUrlAccess>false</enablePublicUrlAccess>
</advancedConfig>
<authenticationConfiguration>

<ip>1.1.1.1</ip>
<port>90</port>




<ip>3.3.3.3</ip>
<port>90</port>


<passwordPolicy>



230
VMware, Inc.

<allowUserIdWithinPassword>false</allowUserIdWithinPassword> 
</passwordPolicy>




<ip>1.1.1.1</ip>
<port>90</port>



</authenticationConfiguration>
</sslvpnConfig>
Query SSL VPN Configuration

RetrievestheSSLVPNconfigurationsofthespecifiedNSXEdge.
Example 8-174. Query SSL VPN Configuration
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/sslvpn/config/
ResponseBody:
<sslvpnConfig>
<logging> 
</logging>
<serverSettings>
<ip>10.112.243.109</ip>
<port>443</port>
<certificateId>certificate-1</certificateId> -->
VMware, Inc.
231
<cipherList>
</cipherList>
</serverSettings>
<privateNetworks>
<privateNetwork>
<sendOverTunnel>
</sendOverTunnel>
</privateNetwork>
</privateNetworks>
<users>
<user>
</user>
</users>
<ipAddressPools>
<ipAddressPool>
<ipRange>10.112.243.11-10.112.243.57</ipRange>
</ipAddressPool>
</ipAddressPools>
<gatewayList>
<gateway>
<port>443</port>
</gateway>
</gatewayList>

232
VMware, Inc.
</clientInstallPackages>
<webResources>
<webResource>
<name>VMware</name>
</method>
</webResource>
</webResources>
<fullTunnel>
<excludeLocalSubnets>true</excludeLocalSubnets>
</fullTunnel>
<upgradeNotification>false</upgradeNotification>
<advancedConfig>
<forceVirtualKeyboard>false</forceVirtualKeyboard>
<preventMultipleLogon>true</preventMultipleLogon>
<randomizeVirtualkeys>false</randomizeVirtualkeys>
<timeout>
</timeout>
<enablePublicUrlAccess>false</enablePublicUrlAccess>
</advancedConfig>
<authenticationConfiguration>
<ip>1.1.1.1</ip>
<port>90</port>
<ip>3.3.3.3</ip>
<port>90</port>
<passwordPolicy>
<allowUserIdWithinPassword>false</allowUserIdWithinPassword>
VMware, Inc.
233
</passwordPolicy>




VMware, Inc.
<value>0.0</value>
</dashboardStatistic>
<value>0.0</value>
</sslvpnBytesOut>
<sslvpnBytesIn>
<value>0.0</value>
<value>0.0</value>
</sslvpnBytesIn>
<activeClients>
<value>4.0</value>
<value>4.0</value>
</activeClients>
<authFailures>
<value>2.0</value>
<value>2.0</value>
</authFailures>
<sessionsCreated>
<value>4.0</value>
<value>4.0</value>
</sessionsCreated>
</sslvpn>
</data>
Working with L2 VPN

L2VPNallowsyoutoconfigureatunnelbetweentwosites.Virtualmachinesremainonthesamesubnetin
spiteofbeingmovedbetweenthesesites,whichenablesyoutoextendyourdatacenter.AnNSXEdgeatone
sitecanprovideallservicestovirtualmachinesontheothersite.
InordertocreatetheL2VPNtunnel,youconfigureanL2VPNserverandL2VPNclient.
Configure L2VPN
YoufirstenabletheL2VPNserviceontheNSXEdgeinstanceandthenconfigureaserverandaclient.
VMware, Inc.
235
Example 8-177. Configure L2VPN

Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/l2vpn/config/
RequestBody:
<l2Vpn>
<enabled>true</enabled> 
<logging> 
<logLevel>debug</logLevel> 
<enable>true</enable> 
</logging>
<l2VpnSites>
<l2VpnSite>
<name></name> 
<description></description> 
<server> 
<configuration>
<listenerIp>11.0.0.11</listenerIp> 
<listenerPort>443</listenerPort> 
<encryptionAlgorithm>AES256-SHA</encryptionAlgorithm> 
<serverCertificate>certificate-4</serverCertificate> 
<vnic>0</vnic> 
</configuration>
<l2VpnUsers> 
<l2VpnUser>
<userId>admin</userId>
<password>default</password>
</l2VpnUser>
</l2VpnUsers>
</server>
<client> 
<configuration>
<serverAddress>11.0.0.11</serverAddress> 
<serverPort>443</serverPort> 
<caCertificate>certificate-4</caCertificate> 
<vnic>0</vnic> 
</configuration>
<proxySetting> 
<type>http</type>
<address>10.112.243.202</address>
<port>443</port>
<userName>root</userName>
<password>java123</password>
</proxySetting>
<l2VpnUser> 
<password>default</password>
</l2VpnUser>
</client>
</l2VpnSite>
</l2VpnSites>
236
VMware, Inc.
</l2Vpn>
Query L2VPN
RetrievesthecurrentL2VPNconfigurationforNSXEdge.
Example 8-178. Query L2VPN
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/l2vpn/config/
ResponseBody:
<l2Vpn>
<logging>
</logging>
<l2VpnSites>
<l2VpnSite>
<name></name>
<server>
<configuration>
<listenerIp>11.0.0.11</listenerIp>
<listenerPort>443</listenerPort>
<encryptionAlgorithm>AES256-SHA</encryptionAlgorithm>
<serverCertificate>certificate-4</serverCertificate>
<vnic>0</vnic>
</configuration>
<l2VpnUsers>
<l2VpnUser>
</l2VpnUser>
</l2VpnUsers>
</server>
</l2VpnSite>
</l2VpnSites>
</l2Vpn>
Query L2VPN Statistics

RetrievesL2VPNstatisticswhichhasinformationsuchastunnelstatus,sentbytes,recievedbytesetc.forthe
givenedge.
Example 8-179. Query L2VPN statistics
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/l2vpn/config/statistics
ResponseBody:
VMware, Inc.
237
<l2vpnStatusAndStats>
<siteStats>
<l2vpnStats>
<tunnelStatus>up</tunnelStatus>
<establishedDate>0</establishedDate>
<txBytesFromLocalSubnet>1726046</txBytesFromLocalSubnet>
<rxBytesOnLocalSubnet>1838385</rxBytesOnLocalSubnet>
</l2vpnStats>
</siteStats>
</l2vpnStatusAndStats>
Enable L2VPN
EnablesordisablestheL2VPNserviceonedgeapplianceaccordingtothevalueofthequeryparameter
enableService.
Example 8-180. Enable L2VPN
Request:
POST https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/l2vpn/config/?enableService=true
ResultCodes:
OnSuccess:204NoContent
OnFailure:
400BadRequest
403Forbiddeniftheuserisnothavingappropriateroleandscope
404Notfound
Delete L2VPN
Example 8-181. Delete L2VPN
Request:
DELETE https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/l2vpn/config/
Working with IPSEC VPN

NSXEdgesupportssitetositeIPSecVPNbetweenanNSXEdgeinstanceandremotesites.NSXEdge
supportscertificateauthentication,presharedkeymode,IPunicasttraffic,andnodynamicroutingprotocol
betweentheNSXEdgeinstanceandremoteVPNrouters.BehindeachremoteVPNrouter,youcanconfigure
multiplesubnetstoconnecttotheinternalnetworkbehindanNSXEdgethroughIPSectunnels.Thesesubnets
andtheinternalnetworkbehindaNSXEdgemusthaveaddressrangesthatdonotoverlap.
YoucandeployanNSXEdgeagentbehindaNATdevice.Inthisdeployment,theNATdevicetranslatesthe
VPNaddressofanNSXEdgeinstancetoapubliclyaccessibleaddressfacingtheInternet.RemoteVPNrouters
usethispublicaddresstoaccesstheNSXEdgeinstance.
YoucanplaceremoteVPNroutersbehindaNATdeviceaswell.YoumustprovidetheVPNnativeaddress
andtheVPNGatewayIDtosetupthetunnel.Onbothends,staticonetooneNATisrequiredfortheVPN
address.
Youcanhaveamaximumof64tunnelsacrossamaximumof10sites.
238
VMware, Inc.
Example 8-182. Configure IPSEC VPN

Request:
PUT https://<vsm-ip>/api/4.0/edges/<edgeId>/ipsec/config
RequestBody:
<ipsec>
<logging> 
<logLevel>debug</logLevel> 
<enable>true</enable> 
</logging>
<global>
<psk>hello123</psk> 
<serviceCertificate>certificate-4</serviceCertificate> 
<caCertificates> 
</caCertificates>
<crlCertificates> 
</crlCertificates>
</global>
<sites>
<site>

<name>VPN to edge-pa-1</name>

<description>psk VPN to edge-pa-1 192.168.11.0/24 == 192.168.1.0/24</description>

<peerIp>any</peerIp>







<localSubnets>
<subnet>192.168.11.0/24</subnet>
</localSubnets>
<peerSubnets>
<subnet>192.168.1.0/24</subnet>
</peerSubnets>
</site>
<site>
<name>VPN to edge-right</name>
<description>certificate VPN to edge-right 192.168.22.0/24 == 192.168.2.0/24</description>
<peerId>C=CN, ST=BJ, L=BJ, O=VMware, OU=DEV, CN=Right</peerId> 
<authenticationMode>x.509</authenticationMode>
<localSubnets>
<subnet>192.168.22.0/24</subnet>
</localSubnets>
<peerSubnets>
<subnet>192.168.2.0/24</subnet>
</peerSubnets>
</site>
</sites>
VMware, Inc.
239
</ipsec>
Retrieve IPSec Configuration

Example 8-183. Get IPSec Configuration
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/ipsec/config
ResponseBodywhenIPSecisnotconfigured:
<ipsec>
<logging>
</logging>
<sites/> 
</ipsec>
ResponseBodywhenIPSecisconfiguredforsitetosite:
<ipsec>
<logging>
</logging>
<global>
<psk>hello123</psk>
<caCertificates> 
</caCertificates>
<crlCertificates>
</crlCertificates>
</global>
<sites>
<site>
<name>VPN to edge-pa-1</name>
<description>psk VPN to edge-pa-1 192.168.11.0/24 == 192.168.1.0/24</description>
<peerIp>any</peerIp>
<localSubnets>
<subnet>192.168.11.0/24</subnet>
</localSubnets>
<peerSubnets>
<subnet>192.168.1.0/24</subnet>
</peerSubnets>
</site>
<site>
<name>VPN to edge-right</name>
<description>certificate VPN to edge-right 192.168.22.0/24 == 192.168.2.0/24</description>
<peerId>C=CN, ST=BJ, L=BJ, O=VMware, OU=DEV, CN=Right</peerId>
240
VMware, Inc.
<authenticationMode>x.509</authenticationMode>
<localSubnets>
<subnet>192.168.22.0/24</subnet>
</localSubnets>
<peerSubnets>
<subnet>192.168.2.0/24</subnet>
</peerSubnets>
</site>
</sites>
</ipsec>
Retrieve IPSec Statistics

Example 8-184. Get IPSEC statistics
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/ipsec/statistics
ResponseBody:
<ipsecStatusAndStats>
<siteStatistics>
<ikeStatus>
<channelStatus>up</channelStatus>
<channelState>STATE_MAIN_I4 (ISAKMP SA established)</channelState>
<lastInformationalMessage></lastInformationalMessage>
<localIpAddress>10.0.0.12</localIpAddress>
<peerIpAddress>10.0.0.2</peerIpAddress>
</ikeStatus>
<tunnelStats>
<tunnelState>STATE_QUICK_I2 (sent QI2, IPsec SA established)</tunnelState>
<localSubnet>192.168.2.0/24</localSubnet>
<peerSubnet>192.168.22.0/24</peerSubnet>
</tunnelStats>
</siteStatistics>
<siteStatistics>
<ikeStatus>
<channelStatus>up</channelStatus>
<channelState>STATE_MAIN_I4 (ISAKMP SA established)</channelState>
<localIpAddress>10.0.0.11</localIpAddress>
<peerIpAddress>10.0.0.1</peerIpAddress>
</ikeStatus>
<tunnelStats>
<tunnelState>STATE_QUICK_I2 (sent QI2, IPsec SA established)</tunnelState>
<localSubnet>192.168.1.0/24</localSubnet>
<peerSubnet>192.168.11.0/24</peerSubnet>
</tunnelStats>
</siteStatistics>
</ipsecStatusAndStats>
VMware, Inc.
241
Query Tunnel Traffic Statistics

Retrievestunneltrafficstatisticsforthespecifiedtimeinterval.Defaultintervalis1hour.Otherpossiblevalues
are1-60 minutes|one day|one week|one month|one year.
Example 8-185. Get tunnel traffic statistics
Request:
GET https://<vsm-ip>/api/4.0/edges/<edgeId>/statistics/dashboard/ipsec?interval=<range>
ResponseBody:
<meta>


</meta>
<data>
<ipsec>
<ipsecTunnels>
<value>0.0</value>
<value>0.0</value>
</ipsecTunnels>
<ipsecBytesIn>
<value>0.0</value>
<value>0.0</value>
</ipsecBytesIn>
<ipsecBytesOut>
<value>0.0</value>
<value>0.0</value>
</ipsecBytesOut>
</ipsec>
</data>
Delete IPSec Configuration

DeletestheIPSECconfigurationforthespecifiedNSXEdge.
Example 8-186. Delete IPSec
Request:
DELETE https://<vsm-ip>/api/4.0/edges/<edgeId>/ipsec/config/
242
VMware, Inc.
Managing an NSX Edge

Force Sync Edge
ResynchronizestheNSXEdgevirtualmachines.
Example 8-187. Force sync Edge
Request:
POST https://<nsxmgr-ip>/api/4.0/edges/{edgeId}?action=forcesync
Redeploy Edge
RedeploysNSXEdgevirtualmachines.
Example 8-188. Redeploy Edge
Request:
POST https://<nsxmgr-ip>/api/4.0/edges/{edgeId}?action=redeploy
Update DNS Settings

Updatednssettings(primary/secondaryandsearchdomain)ofanEdge.
Example 8-189. Update DNS
Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/dnsClient
RequestBody:
<dnsClient>
</dnsClient>
Modify AESNI Setting

RedeploysNSXEdgevirtualmachines.
Example 8-190. Modify AESNI
Request:
POST https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/aesni?enable=true|false
VMware, Inc.
243
Modify Edge Appliance Core Dump Setting

EnablingEdgeappliancecoredumpfeatureresultsindeploymentofaninbuiltextradisktosavethe
coredumpfiles.Theextradiskconsumes1GBforcompactedgeand8GBforotheredgetypes.Disablingthis
featuredetachesthedisk.
Example 8-191. Modify core dump setting
Request:
POST https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/coredump?enable=true|false
Modify FIPs Setting

Example 8-192. Modify FIPs
Request:
POST https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/fips?enable=true|false
Modify Log Setting

Example 8-193. Modify log setting
Request:
POST https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/logging?level=<logLevel>
Query Edge Summary

RetrievesdetailsaboutthespecifiedEdge.
Example 8-194. Retrieve Edge details
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/summary
RequestBody:
<edgeSummary>
<objectId>edge-32</objectId>
<type>
<typeName>Edge</typeName>
</type>
<name>vShield-edge-32</name>
<objectTypeName>Edge</objectTypeName>
<id>edge-32</id>
<state>deployed</state>
<datacenterName>Datacenter</datacenterName>
<apiVersion>4.0</apiVersion>
<numberOfConnectedVnics>2</numberOfConnectedVnics>
<appliancesSummary>
<vmVersion>5.1.0</vmVersion>
<fqdn>vShield-edge-32</fqdn>
<numberOfDeployedVms>1</numberOfDeployedVms>
<activeVseHaIndex>0</activeVseHaIndex>
<vmMoidOfActiveVse>vm-301</vmMoidOfActiveVse>
244
VMware, Inc.
<vmNameOfActiveVse>vShield-edge-32-0</vmNameOfActiveVse>
<hostMoidOfActiveVse>host-159</hostMoidOfActiveVse>
<hostNameOfActiveVse>10.20.114.8</hostNameOfActiveVse>
<resourcePoolMoidOfActiveVse>resgroup-208</resourcePoolMoidOfActiveVse>
<resourcePoolNameOfActiveVse>Resources</resourcePoolNameOfActiveVse>
<dataStoreMoidOfActiveVse>datastore-160</dataStoreMoidOfActiveVse>
<dataStoreNameOfActiveVse>storage1</dataStoreNameOfActiveVse>
<statusFromVseUpdatedOn>1310625858000</statusFromVseUpdatedOn>
</appliancesSummary>
<featureCapabilities>
<featureCapability>
<service>nat</service>
<isSupported>true</isSupported>
<configurationLimit>
<key>MAX_RULES_PER_ACTION</key>
<value>2048</value>
</configurationLimit>
</featureCapability>
<featureCapability>
<service>syslog</service>
<key>MAX_SERVER_IPS</key>
<value>2</value>
<featureCapability>
<service>staticRouting</service>
<key>MAX_ROUTES</key>
<value>2048</value>
<featureCapability>
<service>ipsec</service>
<key>MAX_TUNNELS</key>
<value>64</value>
<featureCapability>
<service>loadBalancer</service>
<key>MAX_POOLS</key>
<value>10</value>
<key>MAX_VIRTUAL_SERVERS</key>
<value>10</value>
<key>MAX_MEMBERS_IN_POOL</key>
<value>32</value>
<featureCapability>
<service>fw</service>
<key>MAX_RULES</key>
<value>2048</value>
<featureCapability>
VMware, Inc.
245
<service>dns</service>
<key>MAX_SERVER_IPS</key>
<value>2</value>
<featureCapability>
<service>sslvpn</service>
<key>MAX_CONCURRENT_USERS</key>
<value>25</value>
<featureCapability>
<service>edge</service>
<key>MAX_APPLIANCES</key>
<value>2</value>
<key>MAX_VNICS</key>
<value>10</value>
<featureCapability>
<service>firewall</service>
<key>MAX_RULES</key>
<value>2048</value>
<featureCapability>
<service>dhcp</service>
<key>MAX_POOL_AND_BINDINGS</key>
<value>2048</value>
<featureCapability>
<service>highAvailability</service>
<key>MAX_MANAGEMENT_IPS</key>
<value>2</value>
</featureCapabilities>
</edgeSummary>
Query Edge Status

RetrievesthestatusofthespecifiedEdge.
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/status
RequestBody:
<edgeStatus>
246
VMware, Inc.
<systemStatus>good</systemStatus>
<activeVseHaIndex>0</activeVseHaIndex>
<edgeStatus>GREEN</edgeStatus>

<publishStatus>APPLIED</publishStatus> 
<version>8</version> 
<edgeVmStatus>
<edgeVmStatus>
<edgeVMStatus>GREEN</edgeVMStatus> 
<haState>active</haState> 
<index>0</index>
<id>vm-358</id>
<name>test2-0</name>
</edgeVmStatus>
<edgeVmStatus>
<edgeVMStatus>GREEN</edgeVMStatus>
<haState>active</haState>
<index>1</index>
<id>vm-362</id>
<name>test2-1</name>
</edgeVmStatus>
</edgeVmStatus>
<featureStatuses>
<featureStatus>
<service>loadBalancer</service>
<configured>false</configured>
<serverStatus>down</serverStatus>
</featureStatus>
<featureStatus>
<service>dhcp</service>
<configured>true</configured>
<publishStatus>Applied</publishStatus>
<serverStatus>up</serverStatus>
</featureStatus>
<featureStatus>
<service>sslvpn</service>
</featureStatus>
<featureStatus>
<service>syslog</service>
</featureStatus>
<featureStatus>
<service>nat</service>
</featureStatus>
<featureStatus>
<service>dns</service>
</featureStatus>
<featureStatus>
<service>ipsec</service>
</featureStatus>
<featureStatus>
<service>firewall</service>
</featureStatus>
<featureStatus>
VMware, Inc.
247
<service>staticRouting</service>
</featureStatus>
<featureStatus>
<service>highAvailability</service>
</featureStatus>
</featureStatuses>
</edgeStatus>
Thiscallcanbeusedwiththefollowingqueryparameters:
getlatest:fetchesthestatuslivefromNSXEdgewhensettotrue(default).Whenfalse,fetchesthelatest
availablestatusfromdatabase.
detailed:fetchesthedetailedstatusperfeaturewhensettotrue.Whenfalse(default),givesanaggregated
summaryofthestatusperfeature.
Samplecallsinclude:
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/status?getlatest=false&detailed=true
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/status?getlatest=true&detailed=true
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/status?getlatest=false&detailed=false
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/status?detailed=true
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/status?getlatest=false
Query Edge Tech Support Logs

RetrievesthetechsupportlogsforthespecifiedEdge.
Example 8-196. Query tech support logs
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/techsupportlogs
Manage CLI Credentials and Access

YoucanmodifytheCLIcredentialsandenableordisableSSHservicesforaEdgeEdge.
Modify CLI Credentials

YoucanusethisAPIto:
ModifythepasswordandpasswordexpiryforanexistingCLIuser.
ChangetheCLIlogin(ssh)bannertext.
ModifyboththeusernameandpasswordforEdgeCLIUser.Thisresultsin:
deletionoftheolduser.
creationofthenewuserwithspecifiedusernameandpassword.
Example 8-197. Modify CLI credentials

Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/{edgeId}/clisettings
RequestBody:
<cliSettings> 
<userName>test</userName>
248
VMware, Inc.
<password>testpass</password>
<remoteAccess>true</remoteAccess>
<passwordExpiry>30</passwordExpiry> 
<sshLoginBannerText>

Hello, VshieldEdge Administrator
</sshLoginBanerText>
</cliSettings>
Change CLI Remote Access

EnablesordisablestheSSHserviceonthespecifiedEdgeEdge.
Example 8-198. Change CLI remote access
Request:
POST https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/cliremoteaccess?enable=true|false
Manage Auto Configuration Settings

Autoconfigurationdefaultsettingisenabledbydefaultandthepriorityishigh.
Ifyoudisableautoconfigurationsettings,youmustaddtherequiredNAT,firewall,routingrulestoenable
controlchanneltrafficforotherservicessuchasloadbalancing,VPN,etc.
Ifyouchangethepriorityoftheautoconfigurationsettingstolow,theinternal/autoconfiguredrulesare
placedinlowerprecedencethantherulesyoucreate.Withthis,youcanagaincontrolspecialallow/denyrules
fortheseservicestoo.Forexample,youcanblockspecificIPaddressesfromaccessingtheVPNservices.
Modify Auto Configuration Settings

ChangestheautoconfigurationsettingsfortheNSXEdge.
Example 8-199. Modify auto configuration settings
PUT https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/autoconfiguration
RequestBody:
<autoConfiguration>
Query Auto Configuration Settings

RetrievesautoconfigurationsettingsfortheNSXEdge.
Example 8-200. Retrieve auto configuration settings
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/autoconfiguration
ResponseBody:
<autoConfiguration>
Working with Appliances

YoucanmanagetheEdgeEdgeapplianceswiththeseRESTcalls.
VMware, Inc.
249
NOTEDonotusehidden/systemresourcepoolIDsastheyarenotsupportedontheUI.
Query Appliance Configuration

Retrievesconfigurationofbothappliances.
Example 8-201. Get appliance configuration
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/appliances
ResponseBody:
<appliances>
<applianceSize>large</applianceSize>
<appliance>
<customField>
</customField>
<cpuReservation>
<limit>2399</limit>
</cpuReservation>
<memoryReservation>
<limit>5000</limit>
</appliance>
<appliance>
<customField>
</customField>
<cpuReservation>
<limit>2399</limit>
</cpuReservation>
<memoryReservation>
<limit>5000</limit>
</appliance>
</appliances>
Modify Appliance Configuration

YoucanretrievetheconfigurationofbothappliancesbyusingtheGETcallinExample 8201andreplacethe
size,resourcepool,datastore,andcustomparametersoftheappliancesbyusingaPUTcall.Ifthereweretwo
appliancesearlieryouPUTonlyoneappliance,theotherapplianceisdeleted.
250
VMware, Inc.
Example 8-202. Modify appliance configuration

Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/appliances
RequestBody:
<appliances>
<applianceSize>COMPACT</applianceSize>
<appliance>
</appliance>
<appliance>
</appliance>
</appliances>
Change Appliance Size

Changesthesizeofbothappliances.
Example 8-203. Change appliance size
Request:
POST https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/appliances/?size=compact|large|xlarge
Manage an Appliance
YoucanmanageanappliancebyspecifyingitsHAindex.
Query Appliance
RetrievestheconfigurationoftheappliancewiththespecifiedhaIndex.
Example 8-204. Get configuration of appliance with specified haIndex
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/appliances/haIndex
ResponseBody:
<appliance>
<customField>
</customField>
<cpuReservation>
<limit>2399</limit>
</cpuReservation>
<memoryReservation>
<limit>5000</limit>
VMware, Inc.
251
</appliance>
Modify Appliance
ModifiestheconfigurationoftheappliancewiththespecifiedhaIndex.
Example 8-205. Modify configuration of appliance with specified haIndex
Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/appliances/haIndex
RequestBody:
<appliance>
<customField>
</customField>
<cpuReservation>
<limit>2399</limit>
</cpuReservation>
<memoryReservation>
<limit>5000</limit>
</appliance>
Delete Appliance
DeletestheappliancewiththespecifiedhaIndex.
Example 8-206. Delete appliance configuration
Request:
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/appliances/haIndex
Working with Interfaces

YoucanadduptoteninternaloruplinkinterfacestoeachEdgeEdgeinstance.AEdgeEdgemusthaveatleast
oneinternalinterfacebeforeitcanbedeployed.
Add Interfaces
YoucanconfigureoneormoreinterfaceforanNSXEdge.Thespecifiedconfigurationisstoredinthedatabase.
Ifanyappliance(s)isassociatedwiththisEdgeEdgeinstance,thespecifiedconfigurationisappliedtothe
applianceaswell.
Example 8-207. Add an interface
Request:
POST https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/vnics/?action=patch
RequestBody:
252
VMware, Inc.
<vnics> 
<vnic>
<index>0</index>
<name>internal0</name> 
<type>internal</type> 
<portgroupId>dvportgroup-114</portgroupId> 
<addressGroups>
</addressGroup>
</addressGroup>
<subnetPrefixLength>64</subnetPrefixLength> 
</addressGroup>
</addressGroups>
<macAddress> 
<edgeVmHaIndex>0</edgeVmHaIndex> 
<value>00:50:56:01:03:23</value> 
</macAddress>
<fenceParameter> 
<value>1</value>
</fenceParameter>
<mtu>1500</mtu> 
<enableProxyArp>false</enableProxyArp> 
<enableSendRedirects>true</enableSendRedirects> 
<enableBridgeMode>false</enableBridgeMode> 
<isConnected>true</isConnected> 
</inShapingPolicy>
</outShapingPolicy>
</vnic>
</vnics>
where:
VMware, Inc.
253
inShapingPolicy,outShapingPolicyareoptional.Canonlybespecifiedforavnicconnectedtoa
distributedportgroup.
averageBandwidthisarequiredfield.Otherfieldsareoptional.Ifnotspecified,peakBandwidthis
defaultedtoaverageBandwidth,burstSizeisdefaultedto0,enabledisdefaultedtotrue,inheritedis
defaultedtofalse.averageBandwidth,peakBandwidthandburstSizevaluesareinbitspersecond.
addressGroupscontainsIPaddressesfortheinterfacewitheachaddressGrouprepresentingtheIPaddresses
withinthesamesubnet.Foreachsubnet,youcanspecifyaprimaryAddress(required),secondaryAddress
(optional),andthesubnetMask(required).
Retrieve Interfaces for a Edge Edge

RetrievesallinterfacesforthespecifiedEdgeEdge.
Example 8-208. Retrieve all interfaces
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/vnics
ResponseBody:
<vnics>
<vnic>
<index>0</index>
<type>uplink</type>
<addressGroups>
<addressGroup>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
<inShapingPolicy>
</inShapingPolicy>
<outShapingPolicy>
</outShapingPolicy>
</vnic>
<vnic>
...
</vnic>
</vnics>
Delete Interfaces
DeletesoneormoreinterfacesforaEdgeEdge.Storesthespecifiedconfigurationindatabase.Ifany
254
VMware, Inc.
Example 8-209. Delete interface

Request:
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/vnics/?index=<vnicIndexId1>&index=<vnicIndexId2>
Manage a Edge Interface

YoucanmanageaspecificEdgeinterface.
Retrieve Interface with Specific Index

RetrievestheinterfacewithspecifiedindexforaEdgeEdge.
Example 8-210. Get interface with specific index
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/vnics/index
ResponseBody:
<vnic>
<index>0</index>
<type>uplink</type>
<portgroupName>Mgmt</portgroupName>
<addressGroups>
<addressGroup>
</addressGroup>
<addressGroup>
<subnetMask>255.255.255.0</subnetMask> 
</addressGroup>
<addressGroup>
<primaryAddress>ffff::1</primaryAddress>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
</vnic>
Modify an Interface
Modifiesthespecifiedinterface.
VMware, Inc.
255
Example 8-211. Modify interface

Request:
PUT https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/vnics/<index>
ResponseBody:
<vnic>
<index>0</index>


<addressGroups>
<addressGroup>

<secondaryAddresses>
</addressGroup>
</addressGroups>
<macAddress>

<edgeVmHaIndex>0</edgeVmHaIndex>
<value>00:50:56:01:03:23</value>
</macAddress>
<fenceParameter>

<value>1</value>
</fenceParameter>
<mtu>1500</mtu>




<inShapingPolicy>

</inShapingPolicy>
<outShapingPolicy>

</outShapingPolicy>
</vnic>
Delete Interface Configuration

Deletestheinterfaceconfigurationandresetsittothefactorydefault.
Example 8-212. Delete interface configuration
Request:
DELETE https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/vnics/index
256
VMware, Inc.
Query Interface Statistics

Query Statistics for all Interfaces
Retrievesstatisticsforallconfiguredinterfacesbetweenthespecifiedstartandendtimes.Whenstartandend
timearenotspecified,allstatisticssincetheEdgeEdgedeployedaredisplayed.Whennoendtimeisspecified,
thecurrentEdgeManagertimeissetasendTime.Eachrecordhasthestatsof5minutesgranularity.
Example 8-213. Get interface statistics
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/statistics/interfaces
ResponseBody:
<statistics>
<meta>



</meta>
<data>
<statistic>
<vnic>0</vnic>
<in>9.1914285714e+02</in>

<out>5.1402857143e+02</out>

</statistic>
...
...
<statistic>
<vnic>1</vnic>
<in>9.2914285714e+02</in>
<out>5.2402857143e+02</out>
</statistic>
</data>
</statistics>
Query Statistics for Uplink Interfaces

Retrievesstatisticsforalluplinkinterfacesbetweenthespecifiedstartandendtimes.Whenstartandendtime
arenotspecified,allstatisticssincetheEdgeEdgedeployedaredisplayed.Whennoendtimeisspecified,the
currentEdgeManagertimeissetasendTime.Eachrecordhasthestatsof5minutesgranularity.
Example 8-214. Get uplink interface statistics
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/statistics/interfaces/uplink
ResponseBody:
<statistics>
<meta>


</meta>
<data>
<statistic>
<vnic>0</vnic>
VMware, Inc.
257
<in>9.1914285714e+02</in>
<out>5.1402857143e+02</out>
</statistic>
...
...
<statistic>
<vnic>1</vnic>
<in>9.2914285714e+02</in>
<out>5.2402857143e+02</out>
</statistic>
</data>
</statistics>
Query Statistics for Internal Interfaces

Retrievesstatisticsforallinternalinterfacesbetweenthespecifiedstartandendtimes.Whenstartandend
timearenotspecified,allstatisticssincetheEdgeEdgedeployedaredisplayed.Whennoendtimeisspecified,
thecurrentEdgeManagertimeissetasendTime.Eachrecordhasthestatsof5minutesgranularity.
Example 8-215. Get internal interface statistics
Request:
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/statistics/interfaces/internal
ResponseBody:
<statistics>
<meta>


</meta>
<data>
<statistic>
<vnic>0</vnic>
<in>9.1914285714e+02</in>
<out>5.1402857143e+02</out>
</statistic>
...
...
<statistic>
<vnic>1</vnic>
<in>9.2914285714e+02</in>
<out>5.2402857143e+02</out>
</statistic>
</data>
</statistics>
Query Dashboard Statistics

Retrievesdashboardstatisticsbetweenthespecifiedstartandendtimes.Whenstartandendtimearenot
specified,allstatisticssincetheEdgeEdgedeployedaredisplayed.Whennoendtimeisspecified,thecurrent
EdgeManagertimeissetasendTime.Eachrecordhasthestatsof5minutesgranularity.
258
VMware, Inc.
Example 8-216. Get interface statistics

Request:
GET https://<nsxmgr-ip>/api/4.0/edges/<edgeId>/statistics/dashboard/interface?interval=<range>
ResponseBody:
<dashboardstatistics>
<meta>


</meta>
<data>
<interfaces>
<vNic_0_in_pkt>
<timestamp></timestamp>
<value></value>
<timestamp></timestamp>
<value></value>
...
...
<vNic_0_in_pkt>
...
...
</interfaces>
</data>
</data>
</dashboardstatistics>
VMware, Inc.
259
260
VMware, Inc.
Distributed Firewall Management
DistributedFirewallisahypervisorkernelembeddedfirewallthatprovidesvisibilityandcontrolfor
virtualizedworkloadsandnetworks.YoucancreateaccesscontrolpoliciesbasedonVMwarevCenterobjects
likedatacentersandclusters,virtualmachinenamesandtags,networkconstructslikeIP/VLAN/VXLAN
addresses,aswellasusergroupidentityfromActiveDirectory.FirewallrulesareenforcedatthevNIClevel
ofeachvirtualmachinetoprovideconsistentaccesscontrolevenwhenthevirtualmachinegetsvMotioned.
Thehypervisorembeddednatureofthefirewalldeliversclosetolineratethroughputtoenablehigher
workloadconsolidationonphysicalservers.Thedistributednatureofthefirewallprovidesascaleout
architecturethatautomaticallyextendsfirewallcapacitywhenadditionalhostsareaddedtoaprepared
cluster.
DistributedFirewalloffersmultiplesetsofconfigurablerules:Layer3(L3)rules(Generaltab)andLayer2(L2)
rules(Ethernettab).Layer2firewallrulesareprocessedbeforeLayer3rules.Thedefaultfirewallruleallows
allL3andL2traffictopassthroughallclustersinyourinfrastructure.Thedefaultruleisalwaysatthebottom
oftherulestableandcannotbedeletedoraddedto.However,youcanchangetheActionelementoftherule
fromAllowtoBlock,addcommentsfortherule,andindicatewhethertrafficforthatruleshouldbelogged.
Firewallrulesarecreatedattheglobalscope,butyoucanthennarrowthescope(datacenter,cluster,
distributedvirtualportgroup,network,virtualmachine,vNIC,orvirtualwire)atwhichyouwanttoapply
therulebyusingtheAppliedTokeyword.
Userdefinedfirewallrulesareenforcedintoptobottomordering,withapervirtualNIClevelprecedence.
EachtrafficsessionischeckedagainstthetopruleintheFirewalltablebeforemovingdownthesubsequent
rulesinthetable.Thefirstruleinthetablethatmatchesthetrafficparametersisenforced.
Thefollowngtableliststheelementsthatcanbeusedinfirewallrules.
Table 9-1. Firewall rule elements
Element
Keyword for API
Used In
application
Application
service
applicationgroup
ApplicationGroup
service
clustercomputeresource
ClusterComputeResource
AppliedTo
datacenter
Datacenter
source/destination
AppliedTo
distributedvirtualportgroup
DistributedVirtualPortgroup
source/destination
AppliedTo
globalroot
GlobalRoot
source/destination
IPv4addresses
Ipv4Address
source/destination
IPv6addresses
Ipv6Address
source/destination
logicalswitch
VirtualWire
source/destination
AppliedTo
network
VMware, Inc.
Network
AppliedTo
261
Table 9-1. Firewall rule elements

Element
Keyword for API
Used In
resourcepool
ResourcePool
source/destination
securitygroup
SecurityGroup
source/destination
virtualapp
VirtualApp
source/destination
virtualmachine
VirtualMachine
source/destination
AppliedTo
vNIC
Vnic
source/destination
AppliedTo
ForinformationoncreatinganIPSet,seeWorkingwithIPsetsonpage 60.Forinformationoncreatinga
securitygroup,seeWorkingwithSecurityGroupsonpage 53.
Distributedfirewallcanhelpincreatingidentitybasedrulesaswell.Administratorscanenforceaccesscontrol
basedontheusersgroupmembershipasdefinedintheenterpriseActiveDirectory.Herearesomescenarios
whereidentitybasedfirewallrulescanbeused:
Useraccessingvirtualapplicationsusingalaptop/mobiledevicewhereADisusedforuserauthentication
UseraccessingvirtualapplicationsusingVDIinfrastructurewherethevirtualmachinesareMicrosoft
Windowsbased
ConfiguringDistributedFirewallonpage 262
WorkingwithFirewallSectionsonpage 266
WorkingwithFirewallRulesonpage 270
QueryStatusonpage 273
SynchronizingandEnablingFirewallonpage 276
ImportingandExportingFirewallConfigurationsonpage 277
FirewallMigrationSwitchonpage 281
ConfiguringFailSafeModeforDistributedFirewallonpage 282
WorkingwithSpoofGuardonpage 283
GettingFlowStatisticDetailsonpage 285
FlowExclusiononpage 291
ExcludingVirtualMachinesfromFirewallProtectiononpage 293
Configuring Distributed Firewall

Thefirewalltableincludesonesectionbydefaultthatcontainsthedefaultrule.Youcanaddadditional
sectionstosegregatefirewallrules
Firewallrulesareenforcedintoptobottomordering.DistributedFirewallcheckseachtrafficsessionagainst
thetopruleinthefirewalltablebeforemovingdownthesubsequentrulesinthetable.Thefirstruleinthe
tablethatmatchesthetrafficparametersisenforced.SeetheNSXAdministrationGuideformoreinformation
aboutthehierarchyofDistributedFirewallrules.
262
VMware, Inc.
Chapter 9 Distributed Firewall Management
Query Firewall Configuration

YoucanretrievethethefullfirewallconfigurationconsistingofallrulesthathasbeendefinedontheNSX
Manager.
Example 9-1. Get firewall configuration for NSX Manager
Request:
GET https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/config
ResponseBody:
HTTP/1.1 200 OK
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: JSESSIONID=4CAE025C868939C35245B2553079807A; Path=/
ETag: 1395341576368
Date: Wed, 02 Oct 2013 20:58:39 GMT
Server: vShield Manager
Content-Type: application/xml
Transfer-Encoding: chunked
<firewallConfiguration timestamp="1360144793284">
<contextId>globalroot-0</contextId>
<layer3Sections>
<section id="2" name="defaultSectionLayer3" generationNumber="1360144793284" timestamp="1360144793284">
<rule id="2" disabled="false" logged="false">
<name>Default Rule</name>
<action>DENY</action>
<sectionId>2</sectionId>
</rule>
</section>
</layer3Sections>
<layer2Sections>
<action>ALLOW</action>
</rule>
</section>
</layer2Sections>
</firewallConfiguration>
Modify Firewall Configuration

Followtheprocedurebelowtomodifythefirewallconfiguration.
1
RunaGETcallforthefirewallconfiguration.
ExtracttheXMLfromtheresponsebodyoftheGETcallandmodifyitasrequired.
FromtheResponseHeaderinStep1,copytheEtagheadervalue.
VMware, Inc.
263
AddthenumberastheIfMatchheaderinthePUTcall.
PassthemodifiedXMLastheRequestBodyinaPUTcall.
Notallfieldsarerequiredwhilesendingtherequest.Refertotheoptionalfieldintheschema
definitionofvariousobjects.Alltheoptionalfieldsaresafetobeignoredwhilesendingthe
configurationtoserver.Forexample,ifanIPSetisreferencedintheruleonlyIPSetandTypeis
neededintheSource/DestinationobjectsandnotNameandisValidtags.
IDsfornewobjects(rule/section)shouldberemovedorsettozero.
Ifnewentities(sections/rules)havebeensentintherequest,theresponsewillcontainthe
systemgeneratedids,whichareassignedtothesenewentities.TheseIDidentifiestheresourceand
canbeusedintheurlsifyouwanttooperateontheseentitiesusingthoseURLs.
Example 9-2. Modify firewall configuration

Request:
PUT https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/config
--header 'Content-Type:text/xml' --header 'if-match:"1380747467905"
RequestBody:
<firewallConfiguration timestamp="1359979620727">
<layer3Sections>
<rule disabled="false" logged="true">
<name>okn-1</name>
<sources excluded="false">
<source>
<value>datacenter-57</value>
<type>Datacenter</type>
</source>
<source>
<value>domain-c62</value>
<type>ClusterComputeResource</type>
</source>
<source>
<value>10.112.1.1</value>
<type>Ipv4Address</type>
</source>
</sources>
<services>
<service>
<destinationPort>80</destinationPort>
264
VMware, Inc.
<protocol>6</protocol>
<subProtocol>6</subProtocol>
</service>
<service>
<value>application-161</value>
<type>Application</type>
</service>
</services>
<appliedToList>
<appliedTo>
<value>5013bcd8-c666-1e28-c7a9-600da945954f.000</value>
<type>Vnic</type>
</appliedTo>
<appliedTo>
<value>vm-126</value>
<type>VirtualMachine</type>
</appliedTo>
</appliedToList>
</rule>
<rule disabled="true" logged="true">
<name>Matru-1</name>
</rule>
</rule>
</rule>
<rule id="2" disabled="true" logged="false">
</rule>
</section>
</layer3Sections>
<layer2Sections>
</rule>
</section>
</layer2Sections>
</firewallConfiguration>
Delete Firewall Configuration

Restoresdefaultconfiguration,whichmeansonedefaultLayer3sectionwithdefaultallowruleandone
defaultLayer2Sectionwithdefaultallowrule.
Example 9-3. Delete firewall configuration
Request:
DELETE https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/config
VMware, Inc.
265
Working with Firewall Sections

YoucanusesectionsinthefirewalltabletogrouplogicalrulesbasedonAppliedToorforatenantusecase.A
firewallsectionisthesmallestunitofconfigurationwhichcanbeupdatedindependently.Therearetwokinds
ofsections
Layer3Sectioncontainslayer3rules
Layer2Sectioncontainslayer2rules
Query Firewall Sections

RetrievessectionconfigurationeitherbysectionIDorsectionname.
Example 9-4. Getsectionconfiguration
Request:
GET https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/config/layer3sections|layer2sections/<sectionId> |<sectionName>
ResponseBody:
<section id="4" name="TestSection" generationNumber="1360149234572" timestamp="1360149234572">
<rule id="16" disabled="false" logged="true">
<name>okn-2</name>
<appliedToList>
<appliedTo>
<name>vm1 - Network adapter 1</name>
<type>Vnic</type>
<isValid>true</isValid>
</appliedTo>
<appliedTo>
<name>Small XP-2</name>
</appliedTo>
</appliedToList>
<source>
<name>5.1 ESX</name>
</source>
<source>
<name>5.1</name>
</source>
<source>
</source>
</sources>
<services>
<service>
</service>
<service>
266
VMware, Inc.
<name>VMware-VDM2.x-Ephemeral</name>
</service>
</services>
</rule>
<rule id="15" disabled="true" logged="true">
</rule>
<name>test-3</name>
</rule>
<name>test-2</name>
</rule>
<name>test-1</name>
</rule>
</section>
Add Firewall Section

Addsasectionatthetopofthefirewalltable.
Example 9-5. Addsection
Request:
POST https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/config/layer3sections|layer2sections
RequestBody:
<section name="TestSection">
<rule disabled="false" logged="true">
<name>okn-2</name>
<appliedToList>
<appliedTo>
<type>Vnic</type>
</appliedTo>
<appliedTo>
</appliedTo>
</appliedToList>
<source>
</source>
<source>
VMware, Inc.
267
<name>5.1</name>
</source>
<source>
</source>
</sources>
<services>
<service>
</service>
<service>
</service>
</services>
</rule>
</rule>
<name>test-3</name>
</rule>
<name>test-2</name>
</rule>
<rule disabled="true" logged="false">
<name>test-1</name>
</rule>
</section>
LocationHeaderintheresponsebodycontainstheresourceurlforthenewlycreatedruleresource.ThisURL
canbeusedtoidentifythisresource.
Modify Firewall Section

Followtheprocedurebelowtomodifyafirewallsection.
268
RunaGETcallforthefirewallsection.
VMware, Inc.
Example 9-6. Modifysection

Request:
PUT https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/config/layer3sections|layer2sections/<sectionId> |<sectionName>
--header 'Content-Type:text/xml' --header 'if-match:"1360149234572"
RequestBody:
<section id="4" name="TestSectionRenamed" generationNumber="1360149234572" timestamp="1360149234572">
<name>okn-2</name>
<appliedToList>
<appliedTo>
<type>Vnic</type>
</appliedTo>
<appliedTo>
</appliedTo>
</appliedToList>
<source>
</source>
<source>
<name>5.1</name>
</source>
<source>
</source>
VMware, Inc.
269
</sources>
<services>
<service>
</service>
<service>
</service>
</services>
</rule>
</rule>
<name>test-3</name>
</rule>
<name>test-2</name>
</rule>
<name>test-1</name>
</rule>
</section>
Delete Firewall Section

Deletesthespecifiedsection.Ifthesectioncontainsadefaultrule,thesectionisnotdeletedbutallrulesexcept
forthedefaultruleareremovedfromthatsection.
Ifthesectiondoesnotcontainadefaultrule,thesectionandallitsrulesaredeleted.
Example 9-7. Deletesection
Request:
DELETE https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/config/layer3sections|layer2sections/<sectionId> |<sectionName>
Working with Firewall Rules

Youaddfirewallrulesattheglobalscope.Youcanthennarrowdownthescope(datacenter,cluster,
distributedvirtualportgroup,network,virtualmachine,vNIC,orvirtualwire)atwhichyouwanttoapply
therule.Firewallallowsyoutoaddmultipleobjectsatthesourceanddestinationlevelsforeachrule,which
helpsreducethetotalnumberoffirewallrulestobeadded.
Toaddaidentitybasedfirewallrule,firstcreateasecuritygroupbasedonDirectoryGroupobjects.Then
createafirewallrulewiththesecuritygroupasthesourceordestination.
Query Firewall Rule

RetrievesruledetailsfromeitheraLayer3orLayer2section.
270
VMware, Inc.
Example 9-8. Get firewall rule

Request:
GET https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/config/layer3sections|layer3sections/<sectionNumber>/rules/<ruleNumber>
ResponseBody:
HTTP/1.1 200 OK
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=FED4857DF7A2A5CCD7F818A87F463629; Path=/
ETag: 1380747467905
Date: Wed, 02 Oct 2013 21:04:29 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
<name>Section-2-Rule-1</name>
<action>allow</action>
<notes>Example with multile sources and any appliedTo with source containing vnics and raw-ips</notes>
<source>
<value>10.112.1.0-10.112.1.10</value>
</source>
<source>
<name>2-rhel53-srv-32-local-129-fa110b77-c303-4113-ab66-88c5ed9a5177 - Network adapter 1</name>
<value>fa110b77-c303-4113-ab66-88c5ed9a5177.000</value>
<type>Vnic</type>
</source>
<source>
<value>192.168.1.1</value>
</source>
</sources>
<destinations excluded="false">
<destination>
<name>1-datacenter-129</name>
</destination>
</destinations>
<services>
<service>
<name>AD Server</name>
</service>
</services>
</rule>
Add Firewall Rule

AddsaruleatthetopoftheexistingconfigurationinaLayer2orLayer3section.
Example 9-9. Add firewall rule
Request:
VMware, Inc.
271
POST https://<nsxmgr-ip>/api/4.0/firewall//globalroot-0/config/layer3sections|layer3sections/<sectionNumber>/rules
RequestBody:
<rule disabled="enabled" logged="false">
<name>AddRuleTest</name>
<notes />
<appliedToList>
<appliedTo>
</appliedTo>
</appliedToList>
<sources excluded="true">
<source>
</source>
</sources>
<services>
<service>
</service>
</services>
</rule>
Modify Firewall Rule

ModifiesaruleintheLayer2orLayer3section.Followtheprocedurebelowtomodifyafirewallrule.
Followtheprocedurebelowtomodifythefirewallconfiguration.
272
RunaGETcallforthefirewallfules.
VMware, Inc.
Example 9-10. Modify firewall rule

Request:
PUT https://<nsxmgr-ip>/api/4.0/firewall//globalroot-0/config/layer3sections|layer3sections/<sectionNumber>/rules
--header 'Content-Type:text/xml' --header 'if-match:"1380747467905"'
RequestBody:
<rule id="23" disabled="enabled" logged="true">
<name>AddRuleTestUpdated</name>
<notes />
<appliedToList>
<appliedTo>
</appliedTo>
</appliedToList>
<sources excluded="true">
<source>
</source>
</sources>
<services>
<service>
</service>
</services>
</rule>
Query Status
Retrievesstatusoftheentirefirewallconfigurationorindividualsections.
Query Firewall Configuration Status

Example 9-11. Get firewall configuration status
Request:
GET https://<nsxmgr-ip>/api/4.0/firewall//globalroot-0/status
ResponseBody:
<firewallStatus>
VMware, Inc.
273
<status>published</status>
<generationNumber>1380747467905</generationNumber>
<clusterList>
<clusterStatus>
<clusterId>domain-c256</clusterId>
<hostStatusList>
<hostStatus>
<errorCode>0</errorCode>
</hostStatus>
</hostStatusList>
</clusterStatus>
<clusterStatus>
<hostStatusList>
<hostStatus>
</hostStatus>
</hostStatusList>
</clusterStatus>
</clusterList>
</firewallStatus>
Query Layer3 Section Status

Example 9-12. Get Layer3 status
Request:
GET https://<nsxmgr-ip>/api/4.0/firewall//globalroot-0/status/layer3sections/<sectionNumber>
ResponseBody:
<firewallStatus>
<clusterList>
<clusterStatus>
<hostStatusList>
<hostStatus>
274
VMware, Inc.
</hostStatus>
</hostStatusList>
</clusterStatus>
<clusterStatus>
<hostStatusList>
<hostStatus>
</hostStatus>
</hostStatusList>
</clusterStatus>
</clusterList>
</firewallStatus>
Query Layer2 Section Status

Example 9-13. Get layer2 status
Request:
GET https://<nsxmgr-ip>/api/4.0/firewall//globalroot-0/status/layer2sections/<sectionNumber>
ResponseBody:
<firewallStatus>
<clusterList>
<clusterStatus>
<hostStatusList>
<hostStatus>
</hostStatus>
</hostStatusList>
</clusterStatus>
<clusterStatus>
<hostStatusList>
<hostStatus>
VMware, Inc.
275
</hostStatus>
</hostStatusList>
</clusterStatus>
</clusterList>
</firewallStatus>
Synchronizing and Enabling Firewall

You can force hosts and clusters to synchronize with the last good configuration in the NSX Manager database.
Force Sync Host

Forcesthehosttosynchwiththelastgoodconfiguration
Example 9-14. Force sync host
Request:
POST https://<nsxmgr-ip>/api/4.0/firewall/forceSync/<hostID>
ResponseBody:
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=EADEDB6AC7323C3FE42E43B8739FBB1F; Path=/
Location: /api/2.0/services/taskservice/job/jobdata-658
Date: Wed, 02 Oct 2013 21:08:52 GMT
Content-Length: 0
ThelocationheadercontainsthetaskURL,whichcanbeusedtomonitortheoveralltaskstatus.
Force Sync Cluster

Example 9-15. Force sync cluster
Request:
POST https://<nsxmgr-ip>/api/4.0/firewall/forceSync/<clusterID>
ResponseBody:
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=EADEDB6AC7323C3FE42E43B8739FBB1F; Path=/
Location: /api/2.0/services/taskservice/job/jobdata-659
Date: Wed, 02 Oct 2013 21:08:52 GMT
Content-Length: 0
ThelocationheadercontainsthetaskURL,whichcanbeusedtomonitortheoveralltaskstatus.
276
VMware, Inc.
Enable or Disable APIs for a Cluster

Youcandisablefirewallcomponentsonacluster.Iffirewallisdisabledonacluster,allnetworktrafficpasses
throughthehostsinthatclusterwithoutanyvalidation.
Example 9-16. Enable or disable API
Request:
POST https://<nsxmgr-ip>/api/4.0/firewall/<domainID>/enable/true|false
Importing and Exporting Firewall Configurations

Youmaymakechangestoafirewallconfigurationandsaveadraftcopyforfutureuse.Acopyofevery
publishedconfigurationisalsosavedasadraft.Amaximumof100configurationscanbesavedatatime.90
outofthese100canbeautosavedconfigurationsfromapublishoperation.Whenthelimitisreached,the
oldestconfigurationthatisnotmarkedforpreserveispurgedtomakewayforanewone.
YoucanalsoimportandexportfirewallconfigurationsinXMLformat.
Save a Configuration
Example 9-17. Save a firewall configuration
Request:
POST https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/drafts
RequestBody:
<firewallDraft name="TestDraft">
<description>Test draft</description> 
<preserve>true</preserve> 
<mode>userdefined</mode>
<config>
<layer3Sections>
<section name="Default Section Layer3" >
<precedence>default</precedence>
</rule>
</section>
</layer3Sections>
<layer2Sections>
<section name="Default Section Layer2">
</rule>
</section>
</layer2Sections>
</config>
</firewallDraft>
ResponseBody:
HTTP/1.1 200 OK
<firewallDraft id="23" name="TestDraft" timestamp="1377631752553">
<description>Test draft</description>
<preserve>true</preserve>
<user>localadmin</user>
VMware, Inc.
277
</firewallDraft>
Query all Saved Configurations

Example 9-18. Get all saved firewall configurations
Request:
GET https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/drafts/
RequestBody:
<firewallDrafts>
<firewallDraft id="3" name="AutoSaved_2013-Aug-22 17:13:08" timestamp="1377191588887">
<description>Auto saved draft</description>
<preserve>false</preserve>
<user>root</user>
<mode>autosaved</mode>
</firewallDraft>
<user>root</user>
</firewallDraft>
<user>root</user>
</firewallDraft>
</firewallDrafts>
Query a Saved Configuration

RetrievethedraftIDoftheconfiguration.SeeGetallsavedfirewallconfigurationsonpage 278.
Example 9-19. Get a saved firewall configuration
Request:
GET https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/drafts/<draftID>
RequestBody:
<user>root</user>
<config timestamp="1377186104244">
<layer3Sections>
<section id="1002" name="Default Section Layer3" generationNumber="1377186104244" timestamp="1377186104244">
<rule disabled="false" logged="false">
<name>Default Rule NDP - Edit</name>
<services>
<service>
<name>IPv6-ICMP Neighbor Solicitation</name>
278
VMware, Inc.
</service>
</services>
</rule>
</rule>
</section>
</layer3Sections>
<layer2Sections>
<section id="1001" name="Default Section Layer2" generationNumber="1377186104244" timestamp="1377186104244">
</rule>
</section>
</layer2Sections>
</config>
</firewallDraft>
Modify a Saved Configuration

Example 9-20. Update a saved firewall configuration
Request:
PUT https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/drafts/<draftID>
RequestBody:
<f<firewallDraft name="TestDraft">
<description>Test draft</description> 
<preserve>true</preserve> 
<config>
<layer3Sections>
<section name="Default Section Layer3" >
</rule>
</section>
</layer3Sections>
<layer2Sections>
<section name="Default Section Layer2">
</rule>
</section>
</layer2Sections>
</config>
</firewallDraft>
ResponseBody:
VMware, Inc.
279
HTTP/1.1 200 OK
<description>Test draft</description>
<preserve>true</preserve>
</firewallDraft>
Delete a Saved Configuration

Example 9-21. Delete a saved firewall configuration
Request:
DELETE https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/drafts/<draftID>
Export a Saved Configuration

Example 9-22. Export a saved firewall configuration
Request:
GET https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/drafts/<draftID>/action/export
ResponseBody:
<description>Test draft Edit</description>
<layer3Sections>
<section name="Default Section Layer3" timestamp="0">
</rule>
</section>
</layer3Sections>
<layer2Sections>
</rule>
</section>
</layer2Sections>
</config>
</firewallDraft>
Import a Saved Configuration

280
VMware, Inc.
Usetheresponsebodyoftheexportcommandastherequestbodyinthiscommand.SeeExportasaved
firewallconfigurationonpage 280.
Example 9-23. Import a saved firewall configuration
Request:
POST https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/drafts/<draftID>/action/import
RequestBody:
<layer3Sections>
</rule>
</section>
</layer3Sections>
<layer2Sections>
</rule>
</section>
</layer2Sections>
</config>
</firewallDraft>
ResponseBody:
HTTP/1.1 200 OK
<mode>imported</mode>
</firewallDraft>
Firewall Migration Switch

Example 9-24. Firewall migration
Request:
GET https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/state
ResponseBody:
<name>Section-2-Rule-1</name>
<notes>Example with multile sources and any appliedTo with source containing vnics and raw-ips</notes>
<source>
VMware, Inc.
281
<value>10.112.1.0-10.112.1.10</value>
</source>
<source>
<name>2-rhel53-srv-32-local-129-fa110b77-c303-4113-ab66-88c5ed9a5177 - Network adapter 1</name>
<value>fa110b77-c303-4113-ab66-88c5ed9a5177.000</value>
<type>Vnic</type>
</source>
<source>
<value>192.168.1.1</value>
</source>
</sources>
<destinations excluded="false">
<destination>
<name>1-datacenter-129</name>
</destination>
</destinations>
<services>
<service>
<name>AD Server</name>
</service>
</services>
</rule>
Configuring Fail-Safe Mode for Distributed Firewall

Bydefault,failureorunavailabilityofthevShieldAppapplianceresultsintrafficbeingblocked(failclose).
Youcanchangethistoallowtraffic(failopen).
Configure Fail-Safe Mode for vShield App Firewall

Example 9-25. Configure fail-safe mode
Example:
PUT https://<nsxmgr-ip>/api/2.1/app/failsafemode
Request Body
<VshieldAppConfiguration>
<failsafeConfiguration>
<failsafemode>FAIL_OPEN</failsafemode>
</failsafeConfiguration>
</VshieldAppConfiguration>
Query Fail-Safe Mode Configuration for vShield App Firewall

Example 9-26. Get fail-safe mode configuration
Example:
GET https://<nsxmgr-ip>/api/2.1/app/failsafemode
282
VMware, Inc.
Working with SpoofGuard

AftersynchronizingwiththevCenterServer,NSXManagercollectstheIPaddressesofallvCenterguest
virtualmachinesfromVMwareToolsoneachvirtualmachine.Ifavirtualmachinehasbeencompromised,
theIPaddresscanbespoofedandmalicioustransmissionscanbypassfirewallpolicies.
YoucreateaSpoofGuardpolicyforspecificnetworksthatallowsyoutoauthorizetheIPaddressesreported
byVMwareToolsandalterthemifnecessarytopreventspoofing.SpoofGuardinherentlytruststheMAC
addressesofvirtualmachinescollectedfromtheVMXfilesandvSphereSDK.Operatingseparatelyfrom
Firewallrules,youcanuseSpoofGuardtoblocktrafficdeterminedtobespoofed.
Create SpoofGuard Policy

YoucancreateaSpoofGuardpolicytospecifytheoperationmodeforspecificnetworks.Thesystemgenerated
policyappliestoportgroupsandlogicalswitchesnotcoveredbyexistingSpoofGuardpolicies.
Example 9-27. Create SpoofGuard policy
Request:
POST https://<nsxmgr-ip>/api/4.0/services/spoofguard/policies/
RequestBody:
<spoofguardPolicy>
<name>rest-spoofguard-policy-1</name>
<description>Test description</description>
<operationMode>TOFU</operationMode>
<enforcementPoint>
<id>dvportgroup-28</id>
<name>network 1</name>
<type>dvportgroup</type>
</enforcementPoint>
<enforcementPoint>
</enforcementPoint>
<allowLocalIPs>true</allowLocalIPs>
</spoofguardPolicy>
ResponseBody:
HTTP/1.1 201 Created
Location: /api/4.0/services/spoofguard/policy/spoofguardpolicy-2
Modify SpoofGuard Policy

UpdatesaSpoofGuardpolicy.
Example 9-28. Create SpoofGuard policy
Request:
PUT https://<nsxmgr-ip>/api/4.0/services/spoofguard/policies/<policy-id>
RequestBody:
<spoofguardPolicy>
<policyId>spoofguardpolicy-2</policyId>
<description>Test description changed</description>
<enforcementPoint>
VMware, Inc.
283
</enforcementPoint>
<enforcementPoint>
</enforcementPoint>
</spoofguardPolicy>
Query SpoofGuard Policy

RetrievesaSpoofGuardpolicy.
Example 9-29. Query SpoofGuard policy
Request:
GET https://<nsxmgr-ip>/api/4.0/services/spoofguard/policies/<policy-id>
RequestBody:
<spoofguardPolicy>
<enforcementPoint>
</enforcementPoint>
<enforcementPoint>
</enforcementPoint>
<publishedOn>2011-10-28 16:12:20.0</publishedOn>
<publishedBy>system_user</publishedBy>
<publishedPending>false</publishedPending>
<defaultPolicy>false</defaultPolicy>
<publishPending>false</publishPending>
<statistics>
<inSync>true</inSync>
<activeCount>0</activeCount>
<inactiveCount>0</inactiveCount>
<activeSinceLastPublishedCount>0</activeSinceLastPublishedCount>
<requireReviewCount>0</requireReviewCount>
<duplicateCount>0</duplicateCount>
<unpublishedCount>0</unpublishedCount>
</statistics>
</spoofguardPolicy>
Query all SpoofGuard Policies

RetrievesallSpoofGuardpolicies.
Example 9-30. Query SpoofGuard policies
Request:
GET https://<nsxmgr-ip>/api/4.0/services/spoofguard/policies/
284
VMware, Inc.
RequestBody:
<spoofguardPolicies>
<spoofguardPolicy>
<name>system-spoofguard-policy-1</name>
<description>Test description</description>
<defaultPolicy>true</defaultPolicy>
</spoofguardPolicy>
<spoofguardPolicy>
<enforcementPoint>
</enforcementPoint>
<enforcementPoint>
</enforcementPoint>
<publishedBy>system_user</publishedBy>
<publishedPending>false</publishedPending>
<defaultPolicy>false</defaultPolicy>
</spoofguardPolicy>
</spoofguardPolicies>
Delete SpoofGuard Policy

DeletesaSpoofGuardpolicy.
Example 9-31. Delete SpoofGuard policy
Request:
DELETE https://<nsxmgr-ip>/api/4.0/services/spoofguard/policies/<policy-id>
Getting Flow Statistic Details

YoucanretrieveadetailedviewofthetrafficonyourvirtualnetworkthatpassedthroughDistributed
Firewall.
Get Flow Statistics

Youcanretrieveflowstatisticsforadatacenter,portgroup,virtualmachine,orvNIC.
Example 9-32. Retrieve flow statistics
Request:
GET https://<nsxmgr-ip>/api/2.1/app/flow/flowstats?contextId=datacenter-21&flowType=TCP_UDP
&startTime=0&endTime=1320917094000&startIndex=0&pageSize=2
RequestBody:
<FlowStatsPage>
VMware, Inc.
285
<pagingInfo>
<contextId>datacenter-2538</contextId>
<flowType>TCP_UDP</flowType>
</pagingInfo>
<flowStatsTcpUdp>
<blocked>0</blocked>
<direction>1</direction>
<sourcePackets>1449</sourcePackets>
<destinationPackets>0</destinationPackets>
<sourceBytes>227493</sourceBytes>
<destinationBytes>0</destinationBytes>
<networkId>network-2553</networkId>
<destinationIp>255.255.255.255</destinationIp>
<controlProtocol></controlProtocol>
<controlSourceIp>0.0.0.0</controlSourceIp>
<controlDestinationIp>0.0.0.0</controlDestinationIp>
<controlDestinationPort>0</controlDestinationPort>
<controlDirection>0</controlDirection>
</flowStatsTcpUdp>
<flowStatsTcpUdp>
</flowStatsTcpUdp>
</FlowStatsPage>
Queryparametersaredescribedinthetablebelow.
Table 9-2. Query parameters for retrieving flow statistics call
286
Parameter
Description
flowStats
Typeoftheflowtoberetrieved.PossiblevaluesareTCP_UDP,LAYER2,andLAYER3
contextId
vcmorefidofthedatacenter,portgroup,virtualmachine,orUUIDofthevNICfor
whichtrafficflowistoberetrieved.
startTime
Flowswithstarttimegreaterthanthespecifiedtimearetoberetrieved.
endTime
Flowswithstarttimelowerthanthespecifiedtimearetoberetrieved.
VMware, Inc.
Table 9-2. Query parameters for retrieving flow statistics call

Parameter
Description
startIndex
Optionalparameterthatspecifiesthestartingpointforretrievingtheflows.Ifthisparameteris
notspecified,flowsareretrievedfromthebeginning.
pageSize
OptionalparameterthatlimitsthemaximumnumberofentriesreturnedbytheAPI.Thedefault
valueforthisparameteris256andthevalidrangeis11024.
Table 9-3. Response values for retrieving flow statistics call

Value
Description
startTime
Starttimeforcurrentflow.
endTime
Endtimeforcurrentflow.
ruleId
ruleIdforcurrentflow.
blocked
Indicateswhethertrafficisblocked0:Flowallowed,1:Flowblocked,2:Flow
blockedbySpoofguard.
protocol
protocolinflow0:TCP,1:UDP,2:ICMP.
direction
Directionofflow0:Tovirtualmachine,1:Fromvirtualmachine.
sessions
Numberofsessionsincurrentflow.
sourcePackets
CountofPacketsfromSourcetoDestinationincurrentflow.
destinationPackets
CountofPacketsfromDestinationtoSourceincurrentflow.
sourceBytes
CountofBytestransferredfromSourcetoDestinationincurrentflow.
destinationBytes
CountofBytestransferredfromDestinationtoSourceincurrentflow.
sourceIp
SourceIPofcurrentflow.
destinationIp
DestinationIPofcurrentflow.
sourceMac
SourceMacofcurrentflow.
destinationMac
DestinationMacofcurrentflow.
subtype
Identifiesthesubtypeofcurrentflow.
destinationPort
PortnumberofDestinationforTCP/UDPtraffic.
controlProtocol
ControlprotocolfordynamicTCPtraffic.
controlSourceIp
ControlsourceIPfordynamicTCPtraffic.
controlDestinationIp
ControldestinationIPfordynamicTCPtraffic.
controlDestinationPort
ControldestinationportfordynamicTCPtraffic.
controlDirection
ControldirectionfordynamicTCPtraffic0:Source>Destination,
1:Destination>Source.
Get Flow Meta-Data

Youcanretrievethefollowinginformationforeachflowtype:
minimumstatstime
maximumendtime
totalflowcount
Example 9-33. Get flow meta-data for flow type

Request:
GET https://<nsxmgr-ip>/api/2.1/app/flow/flowstats?contextId=datacenter-2538\&flowType=TCP_UDP\
&startTime=1327405883000\&endTime=1327482600000\&startIndex=0\&pageSize=2
VMware, Inc.
287
ResponseBody:
<FlowStatsPage>
<pagingInfo>
<contextId>datacenter-2538</contextId>
<flowType>TCP_UDP</flowType>
</pagingInfo>
<flowStatsTcpUdp>
</flowStatsTcpUdp>
<flowStatsTcpUdp>
</flowStatsTcpUdp>
</FlowStatsPage>
Query Flow Summary

Retrievesflowsummaryforgivencontext.
Example 9-34. Get flow summary
Request:
288
VMware, Inc.
GET
https://<nsxmgr-ip>/api/2.1/app/internal/flow/flowsummary?contextId=datacenter-2538&&startTime=13274058
83000&endTime=1327482600000
where
contextId:vcmorefidofthedatacenter,portgroup,virtualmachine,oruuidincasevNICforwhichthe
trafficflowistoberetrieved.
startTime:Flowswithstarttimegreaterthanthiswillbefetched.
endTime:Flowswithendtimelesserthanthiswillbefetched.
Query Flow Table

Retrievestoprowsforgivencontextandtabletype.
Example 9-35. Get flow table
Request:
GET
https://<nsxmgr-ip>/api/2.1/app/internal/flow/flowtable?contextId=datacenter-2538&&startTime=132740588300
0&endTime=1327482600000&tableType=source
where
tableType:Thisparameterindicatesthetypeoftheflowtobefetched.Possiblevaluesare:Source,
Application,Destination.
maxRows:(optional)Maximumnumberofrowstobereturned(defaultvalue:5).
Query Flow Details

Retrievesflowdetailsforgivencontext.
Example 9-36. Get flow details
Request:
GET
https://<nsxmgr-ip>/api/2.1/app/internal/flow/flowdetaild?contextId=datacenter-2538&&&flowType=Allowed&
startTime=0&endTime=1327482600000
where
flowType:Thisparameterindicatesthetypeoftheflowtobefetched.PossiblevaluesforflowType
parameterare:AllowedorBlocked.
VMware, Inc.
289
Query Paged Flow Details

Retrievesapageofflowdetailsforgivencontext.
Example 9-37. Get flow details
Request:
GET https://<nsxmgr-ip>/api/2.1/app/internal/flow/pagedflowdetails?contextId=datacenter-2538&&&
flowType=Allowed&startTime=0&endTime=1327482600000
where
startIndex:(optional)Thisisthestartindexoftheflowstobereturned(defaultvalue:0).
pageSize:(optional)Thisisthemaximumnumberofflowstobereturnedinasinglegetcall(defaultvalue
is256).
Query Flow Details Application

Retrievesflowdetailsforgivencontextbyapplication.Ifavailable,thesourceanddestinationnamesare
returned.
Example 9-38. Get flow details by application
Request:
GET
https://<nsxmgr-ip>/api/2.1/app/internal/flow/flowdetaild/application?contextId=datacenter-2538&&&flowType
=Allowed&startTime=0&endTime=1327482600000&serviceId=application-211
where
serviceId:Theserviceidentifieroftheapplicationtobequeried.
Query Paged Flow Details Application

Retrievesapageofflowdetailsforgivencontextbyapplication.Ifavailable,thesourceanddestinationnames
arereturned.
Example 9-39. Get paged flow details by application
Request:
290
VMware, Inc.
GET
https://<nsxmgr-ip>/api/2.1/app/internal/flow/pagedflowdetails/application?contextId=datacenter-2538&&&flow
Type=Allowed&startTime=0&endTime=1327482600000&serviceId=application-211
where
serviceId:Theserviceidentifieroftheapplicationtobequeried.
startIndex:(optional)Thisisthestartindexoftheflowstobereturned(defaultvalue:0).
pageSize:(optional)Thisisthemaximumnumberofflowstobereturnedinasinglegetcall(defaultvalue
is256).
Flow Exclusion
Firewallingisdonebyakernelmodulepresentoneachhost.Thiskernelmoduleoneachhostgeneratesflow
recordsfornetworkactivityhappeningonprotectedonVMs.Theseflowrecordsgeneratedoneachhostare
senttoNSXManager,whichconsumestherecordsfromallhostsanddisplaysaggregatedmeaningful
information.Duetothevastamountofflowrecordswhichcanbegeneratedonahost,capabilityhasbeen
providedtoexcludegenerationofflowrecordsbythekernelmoduleaspercriteriachosenbyadministrator.
Followingknobsareprovidedtocontrolflowexclusion.Allexclusionparametersareappliedgloballyonall
hosts.
DisableFlowscompletelyatagloballevel
Ignoreallowedflows
Ignoreblockedflows
Ignorelayer2flows
SourceIPstoignore.Ex:10.112.3.14,10.112.3.1510.112.3.18,192.168.1.1\24
Sourcecontainerstoignore.ContainercancontainVm,vNic,IPSet,MACSet
DestinationIPstoignore.
Destinationcontainerstoignore.ContainercancontainVm,vNic,IPSet,MACSet
Destinationports
Servicecontainerstoignore.ContainercancontainApplicationorApplicationgroup
Flowexclusionhappensatthesourceofgenerationofflowrecordsi.e.hostitself.Thefollowingflowsare
discardedbydefault:
BroadcastIP(255.255.255.255)
Localmulticastgroup(224.0.0.0/24)
BroadcastMACaddress(FF:FF:FF:FF:FF:FF)
Exclude Flows
Excludesspecifiedflows.
VMware, Inc.
291
Example 9-40. Exclude flows

Request:
POST https://<nsxmgr-ip>/api/2.1/app/flow/config
RequestBody:
<FlowConfiguration>
<collectFlows>true</collectFlows>
<ignoreBlockedFlows>false</ignoreBlockedFlows>
<ignoreLayer2Flows>false</ignoreLayer2Flows>
<sourceIPs>10.112.3.14, 10.112.3.15-10.112.3.18,192.168.1.1\24</sourceIPs>
<sourceContainer>
<id>5013bcd8-c666-1e28-c7a9-600da945954f.000</id>
<type>Vnic</type>
</sourceContainer>
<sourceContainer>
<name>Large XP-1</name>
<id>vm-126</id>
</sourceContainer>
<destinationIPs>10.112.3.14, 10.112.3.15-10.112.3.18,192.168.1.1\24</destinationIPs>
<destinationContainer>
<id>5013bcd8-c666-1e28-c7a9-600da945954f.000</id>
<type>Vnic</type>
</destinationContainer>
<destinationContainer>
<id>vm-226</id>
</destinationContainer>
<destinationPorts>22, 40-50, 60</destinationPorts>
<service>
<id>application-161</id>
</service>
</FlowConfiguration>
Query Excluded Flows

Retrievesexcludedflowdetails.
Example 9-41. Get excluded flows
Request:
GET https://<nsxmgr-ip>/api/2.1/app/flow/config
ResponseBody:
<FlowConfiguration>
<collectFlows>true</collectFlows>
<ignoreBlockedFlows>false</ignoreBlockedFlows>
<ignoreLayer2Flows>false</ignoreLayer2Flows>
<sourceIPs>10.112.3.14, 10.112.3.15-10.112.3.18,192.168.1.1\24</sourceIPs>
<sourceContainer><name>vm1 - Network adapter 1</name>
<id>5013bcd8-c666-1e28-c7a9-600da945954f.000</id><type>Vnic</type></sourceContainer>
<sourceContainer><name>Large XP-1</name><id>vm-126</id><type>VirtualMachine</type></sourceContainer>
<destinationIPs>10.112.3.14, 10.112.3.15-10.112.3.18,192.168.1.1\24</destinationIPs>
<destinationContainer><name>vm2 - Network adapter 2</name>
<id>5013bcd8-c666-1e28-c7a9-600da945954f.000</id><type>Vnic</type></destinationContainer>
<destinationContainer><name>Small XP-2</name><id>vm-226</id><type>VirtualMachine</type></destinationContainer>
292
VMware, Inc.
<destinationPorts>22, 40-50, 60</destinationPorts>

<service><name>VMware-VDM2.x-Ephemeral</name><id>application-161</id></service>
</FlowConfiguration>
Excluding Virtual Machines from Firewall Protection

Youcanexcludeasetofvirtualmachinesfrombeingprotected.ThisexclusionlistisappliedacrossFirewall
ruleswithinthespecifiedNSXManager.IfavirtualmachinehasmultiplevNICs,allofthemareexcluded
fromprotection.
Add a Virtual Machine to the Exclusion List

Youcanaddavirtualmachinetotheexclusionlist.
Example 9-42. Add a virtual machine to exclusion list
Example:
PUT https://<nsxmgr-ip>/api/2.1/app/excludelist/<memberId>
WherememberIdisthevcmorefidofavirtualmachine.
Get Virtual Machine Exclusion List

Youcanretrievethesetofvirtualmachinesintheexclusionlist.
Example 9-43. Get exclusion list
Example:
GET https://<nsxmgr-ip>/api/2.1/app/excludelist/
ResponseBody:
<VshieldAppConfiguration>
<excludeListConfiguration>
<objectId>excludeList-1</objectId>
<type>
<typeName>ExcludeList</typeName>
</type>
<objectTypeName>ExcludeList</objectTypeName>
<excludeMember>
<member>
<objectId>vm-2371</objectId>
<type>
<typeName>VirtualMachine</typeName>
</type>
<name>VC-Win2k3</name>
<objectTypeName>VirtualMachine</objectTypeName>
<scope>
<id>domain-c731</id>
<name>Database-CL</name>
</scope>
</member>
</excludeMember>
</excludeListConfiguration>
</VshieldAppConfiguration>
VMware, Inc.
293
Delete a Virtual Machine from Exclusion List

Youcandeleteavirtualmachinesfromtheexclusionlist.
Example 9-44. Delete virtual machine from exclusion list
Example:
DELETE https://<nsxmgr-ip>/api/2.1/app/excludelist/<memberID>
WherememberIdisthevcmorefidofavirtualmachine.
294
VMware, Inc.
10
Service Composer Management
10
Service Composer helps you provision and assign network and security services to applications in a virtual infrastructure. You map these services to a security group, and the services are applied to the virtual machines in the security
group.
Security Group
You begin by creating a security group to define assets that you want to protect. Security groups may be static (including
specific virtual machines) or dynamic where membership may be defined in one or more of the following ways:
vCentercontainers(clusters,portgroups,ordatacenters)
Securitytags,IPset,MACset,orevenothersecuritygroups.Forexample,youmayincludeacriteriato
addallmemberstaggedwiththespecifiedsecuritytag(suchasAntiVirus.virusFound)tothesecurity
group.
DirectoryGroups(ifNSXManagerisregisteredwithActiveDirectory)
RegularexpressionssuchasvirtualmachineswithnameVM1
Note that security group membership changes constantly. For example, a virtual machine tagged with the AntiVirus.virusFound tag is moved into the Quarantine security group. When the virus is cleaned and this tag is removed from
the virtual machine, it again moves out of the Quarantine security group.
Security Policy
A security policy is a collection of the following service configurations.
Table 10-1. Security services contained in a security policy
Service
Description
Applies to
Firewallrules
Rulesthatdefinethetraffictobeallowedto,from,orwithinthesecurity
group.
vNIC
Endpointservice
DataSecurityorthirdpartysolutionproviderservicessuchasantivirusor
vulnerabilitymanagementservices.
virtualmachines
Network
introspection
services
ServicesthatmonitoryournetworksuchasIPS.
virtualmachines
Mapping Security Policy to Security Group

Youmapasecuritypolicy(saySP1)toasecuritygroup(saySG1).TheservicesconfiguredforSP1areapplied
toallvirtualmachinesthataremembersofSG1.
Ifavirtualmachinebelongstomorethanonesecuritygroup,theservicesthatareappliedtothevirtual
machinedependsontheprecedenceofthesecuritypolicymappedtothesecuritygroups.
VMware, Inc.
295
authenticationServiceComposerprofilescanbeexportedandimportedasbackupsorforuseinother
environments.Thisapproachtomanagingnetworkandsecurityserviceshelpsyouwithactionableand
repeatablesecuritypolicymanagement.
WorkingwithSecurityPolicies
WorkingwithSecurityActions
QuerySecurityPoliciesMappedtoaSecurityGroup
QueryServiceProviderData
QuerySecurityGroupEffectiveMembership
QuerySecurityGroupstowhichaVMBelongs
IMPORTANTAllNSXvSphereRESTrequestsrequireauthentication.SeeUsingtheNSXRESTAPIon
page 25fordetailsaboutbasicauthentication.
Working with Security Policies

AsecuritypolicyisasetofEndpoint,firewall,andnetworkintrospectionservicesthatcanbeappliedtoa
securitygroup.
Forinformationoncreatingasecuritygroup,seeWorkingwithSecurityGroupsonpage 53.
Creating a Security Policy

Whencreatingasecuritypolicy,aparentsecuritypolicycanbespecifiedifrequired.Thesecuritypolicy
inherits services from the parent security policy. Securitygroupbindingsandactionscanalsobespecifiedwhile
creatingthepolicy.Notethatexecutionorderofactionsinacategoryisimpliedbytheirorderinthelist.The
responseofthecallhasLocationheaderpopulatedwiththeURIusingwhichthecreatedobjectcanbefetched.
Prerequisites
Ensurethat:
the required VMware built in services (such as Distributed Firewall, Data Security, and Endpoint) are installed. See
NSX Installation and Upgrade Guide.
the required partner services have been registered with NSX Manager.
therequiredsecuritygroupshavebeencreated.
Example 10-1. Create security policy

Request:
POST https://<nsxmgr-ip>/api/2.0/services/policy/securitypolicy
RequestBody:
<securityPolicy>
<name></name>
<precedence></precedence>
<parent>
</parent>
<securityGroupBinding>
</securityGroupBinding>
...
296
VMware, Inc.
Chapter 10 Service Composer Management
...
...
...
<actionsByCategory>
<category>firewall</category>
<action class="firewallSecurityAction">
<name></name>
<category></category>
<actionType></actionType>
<isActionEnforced></isActionEnforced>
<isActive></isActive>
<secondarySecurityGroup>
</secondarySecurityGroup>
...
...
...
...
<applications>
<application>
</application>
<applicationGroup>
</applicationGroup>
...
...
</applications>
<logged></logged>
<action></action>
<direction></direction>
<outsideSecondaryContainer></outsideSecondaryContainer>
</action>
<action>
...
</action>
...
...
<action>
...
</action>
</actionsByCategory>
<actionsByCategory>
<category>endpoint</category>
<action class="endpointSecurityAction">
<name></name>
<serviceId></serviceId>
<vendorTemplateId></vendorTemplateId>
</action>
<actionsByCategory>
<category>traffic_steering</category>
<action class="trafficSteeringSecurityAction">
<name></name>
VMware, Inc.
297
<logged></logged>
<redirect></redirect>
<serviceProfile>
</serviceProfile>
</action>
</securityPolicy>
Description of Tags
ThissectiondescribesthetagsspecifictoServiceComposermanagement.
Common Tags
executionOrderCategoryCategorytowhichtheactionbelongsto(endpoint,firewallortraffic_steering)
actionTypeDefinesthetypeofactionbelongingtoagivenexecutionOrderCategory
isEnabledIndicateswhetheranactionisenabled
isActionEnforcedEnforcesanactionofaparentpolicyonitschildpoliciesforagivenactionTypeand
executionOrderCategory.Notethatinapolicyhierarchy,foragivenactionTypeand
executionOrderCategory,therecanbeonlyoneactionwhichcanbemarkedasenforced.
isActiveInasecuritypolicyhierarchy,anactionwithinapolicymayormaynotbeactivebasedonthe
precedenceofthepolicyorusageofisActionEnforcedflaginthathierarchy
securityPolicyParentpolicyinanaction
secondarySecurityGroupApplicableforactionswhichneedsecondarysecuritygroups,saya
sourcedestinationfirewallrule
Output only Tags
executionOrderDefinesthesequenceinwhichactionsbelongingtoanexecutionOrderCategoryare
executed.Notethatthisisnotaninputparameteranditsvalueisimpliedbytheindexinthelist.
Firewall Category Tags
applicationsApplications/applicationgroupsonwhichtherulesaretobeapplied
loggedFlagtoenableloggingofthetrafficthatishitbythisrule
actionAlloworblockthetraffic
directionDirectionoftraffictowardsprimarysecuritygroup.Possiblevalues:inbound,outbound,intra
outsideSecondaryContainerFlagtospecifyoutsidei.e.outsidesecuritygroup3
Endpoint Category Tags
298
serviceIdIDoftheservice(asregisteredwiththeserviceinsertionmodule).Ifthistagisnull,the
functionalitytype(asdefinedinactionTypetag)isnotappliedwhichwillalsoresultinblockingthe
actions(ofgivenfunctionalitytype)thatareinheritedfromtheparentseicritypolicy.Thisistrueifthere
isnoactionofenforetype.
vendorTemplateIdIDofspecificvendorconfiguration.
invalidServiceIdFlagtoindicatethattheservicethatwasreferencedinthisruleisdeleted,whichmake
theruleineffective(ordeviatefromtheoriginalintentthatexistedwhileconfiguringtherule).Youmust
eithermodifythisrulebyaddingcorrectServiceordeletethisrule.
VMware, Inc.
invalidVendorTemplateIdFlagtoindicatethatthevendortemplatethatwasreferencedinthisruleis
deleted,whichmaketheruleineffective(ordeviatefromtheoriginalintentthatexistedwhileconfiguring
therule).YoumusteitherfixthisrulebyaddingcorrectServiceordeletethisrule.
serviceNameNameoftheservice
vendorTemplateNameNameofvendortemplate
TrafficSteering/NetX Category Tags
redirectFlagtoindicatewhethertoredirectthetrafficornot
serviceProfileServiceprofileforwhichredirectionisbeingconfigured
loggedFlagtoenableloggingofthetrafficthatishitbythisrule
Querying Security Policies

YoucanretrieveaspecificsecuritypolicybyspecifyingitsIDorallsecuritypolicies.
Example 10-2. Query security policies
Request:
GET https://<nsxmgr-ip>/api/2.0/services/policy/securitypolicy/securitypolicyID | all
ResponseBody:
<securityPolicy><securityPolicy>
<name></name>
<parent>
</parent>
...
...
...
...
<actionsByCategory>
<name></name>
...
...
...
...
<applications>
VMware, Inc.
299
<application>
</application>
<applicationGroup>
</applicationGroup>
...
...
</applications>
<logged></logged>
<action></action>
</action>
<action>
...
</action>
...
...
<action>
...
</action>
<actionsByCategory>
<name></name>
</action>
<actionsByCategory>
<name></name>
<logged></logged>
<serviceProfile>
</serviceProfile>
</action>
</securityPolicy>
<name></name>
<parent>
</parent>
300
VMware, Inc.
...
...
...
...
<actionsByCategory>
<name></name>
...
...
...
...
<applications>
<application>
</application>
<applicationGroup>
</applicationGroup>
...
...
</applications>
<logged></logged>
<action></action>
</action>
<action>
...
</action>
...
...
<action>
...
</action>
<actionsByCategory>
<name></name>
</action>
VMware, Inc.
301
<actionsByCategory>
<name></name>
<logged></logged>
<serviceProfile>
</serviceProfile>
</action>
</securityPolicy>
Edit a Security Policy

Toupdateasecuritypolicy,youmustfirstfetchit.Formoreinformation,seeQueryingSecurityPolicies.
YoutheneditthereceivedXMLandpassitbackastheinput.Thespecifiedconfigurationreplacesthecurrent
configuration.
SecuritygroupmappingsprovidedinthePUTcallreplacesthesecuritygroupmappingsforthesecurity
policy.Toremoveallmappings,deletethesecurityGroupBindingsparameter.
YoucanaddorupdateactionsforthesecuritypolicybyeditingtheactionsByCategoryparameter.Toremove
allactions(belongingtoallcategories),deletetheactionsByCategoryparameter.Toremoveactionsbelonging
toaspecificcategory,deletetheblockforthatcategory.
Example 10-3. Edit a security policy
Request:
PUT https://<nsxmgr-ip>/api/2.0/services/policy/securitypolicy/securitypolicyID
ResponseBody:
SeeExample 102.
Delete a Security Policy

Whenyoudeleteasecuritypolicy,itschildsecuritypoliciesandalltheactionsinitaredeletedaswell.
Example 10-4. Delete a security policy
Request:
DELETE https://<nsxmgr-ip>/api/2.0/services/policy/securitypolicy/securitypolicyID?force=<true/false>
Ifyousettheforceparametertotrue,thesecuritypolicyisdeletedevenifitisbeingusedsomewhere.
302
VMware, Inc.
Export a Security Policy Configuration

YoucanexportaServiceComposerconfiguration(alongwiththesecuritygroupstowhichthesecurity
policiesaremapped)andsaveittoyourdesktop.Thesavedconfigurationcanbeusedasabackupfor
situationswhereyoumayaccidentallydeleteapolicyconfiguration,oritcanbeexportedforuseinanother
NSXManagerenvironment.
Example 10-5. Export a security policy
Requestforselectiveexport:
GET
https://<nsxmgr-ip>/api/2.0/services/policy/securitypolicy/hierarchy?policyIds=comma_separated_securitypolicy
_ids&prefix=optional_some_prefix_before_names
Requestforexportingallpolicies:
GET https://<nsxmgr-ip>/api/2.0/services/policy/hierarchy?prefix=optional_some_prefix_before_names
ResponseBody:
<securityPolicyHierarchy>
<name></name>
<securityPolicy></securityPolicy>
...
...
<securityGroup></securityGroup>
...
...
</securityPolicyHierarchy>
Ifaprefixisspecified,itisaddedbeforethenamesofthesecuritypolicy,securityaction,andsecuritygroup
objectsintheexportedXML.Theprefixcanthusbeusedtoindicatetheremotesourcefromwherethe
hierarchywasexported.
Import a Security Policy Configuration

Youcancreatemultiplesecuritypoliciesandparentchildhierarchiesusingthedatafetchedthroughexport.
Allobjectsincludingsecuritypolicies,securitygroupsandsecurityactionsarecreatedonaglobalscope.
Example 10-6. Import a security policy
Requestforselectiveexport:
POST https://<nsxmgr-ip>/api/2.0/services/policy/securitypolicy/hierarchy?suffix=optional_suffix_to_be_added_after_names
RequestBody:
SeeExample 105.
Ifasuffixisspecified,itisaddedafterthenamesofthesecuritypolicy,securityaction,andsecuritygroup
objectsintheexportedXML.Thesuffixcanthusbeusedtodifferentiatelocallycreatedobjectsfromimported
ones.
Locationofthenewlycreatedsecuritypolicyobjects(multiplelocationsareseparatedbycommas)is
populatedintheLocationheaderoftheresponse.
VMware, Inc.
303
Query Security Actions for a Security Policy

Youcanretrieveallsecurityactionsapplicableonasecuritypolicy.Thislistincludessecurityactionsfrom
associatedparentsecuritypolicies,ifany.SecurityactionsperExecutionOrderCategoryaresortedbasedon
theweightofsecurityactionsindescendingorder.
Example 10-7. Query security actions for a security policy
Request:
GET https://<nsxmgr-ip>/api/2.0/services/policy/securitypolicy/securitypolicyId/securityactions
ResponseBody:
<securityPolicies>
...
...
</securityPolicies>
Working with Security Actions

Query Virtual Machines for a Security Action
YoucanfetchallVirtualMachineobjectsonwhichsecurityactionofagivencategoryandattributehasbeen
applied.
Example 10-8. Query virtual machines for security action
Request:
GET
https://<nsxmgr-ip>/api/2.0/services/policy/securityaction/category/virtualmachines?attributeKey=attribute_nam
e&attributeValue=attribute_value
ResponseBody:
<vmnodes>
<vmnode>
<vmId></vmId>
<vmName></vmName>
</vmnode>
<vmnode>
<vmId></vmId>
<vmName></vmName>
</vmnode>
...
...
<vmnode>
<vmId></vmId>
<vmName></vmName>
</vmnode>
</vmnodes>
Query Security Actions Applicable on a Security Group

YoucanfetchallsecurityactionsapplicableonasecuritygroupforallExecutionOrderCategories.Thelistis
sortedbasedontheweightofsecurityactionsindescendingorder.TheisActivetagindicatesifasecurityaction
willbeapplied(bytheenforcementengine)onthesecuritygroup.
304
VMware, Inc.
Example 10-9. Query security actions for security group

Request:
GET https://<nsxmgr-ip>/api/2.0/services/policy/securitygroup/securitygroupID/securityactions
ResponseBody:
<securityActionsByCategoryMap>
<actionsByCategory>
<vsmUuid></vsmUuid>
<type>
</type>
<name></name>
<executionOrder></executionOrder>
<vsmUuid></vsmUuid>
<type>
</type>
<name></name>
<scope>
<id></id>
<name></name>
</scope>
<extendedAttributes></extendedAttributes>
...
...
...
...
<securityPolicy>
<vsmUuid></vsmUuid>
<type>
</type>
<name></name>
<scope>
<id></id>
<name></name>
</scope>
VMware, Inc.
305
</securityPolicy>
<invalidSecondaryContainers></invalidSecondaryContainers>
<applications>
<application>
<vsmUuid></vsmUuid>
<type>
</type>
<name></name>
<scope>
<id></id>
<name></name>
</scope>
<inheritanceAllowed></inheritanceAllowed>
<element>
<applicationProtocol></applicationProtocol>
<value></value>
</element>
</application>
<application>
...
</application>
...
...
</applications>
<invalidApplications>false</invalidApplications>
<logged>false</logged>
<action>block</action>
<direction>inbound</direction>
<outsideSecondaryContainer>true</outsideSecondaryContainer>
</action>
<action>
</action>
...
...
<action>
...
</action>
<actionsByCategory>
<vsmUuid></vsmUuid>
<type>
</type>
<name></name>
<securityPolicy>
<vsmUuid></vsmUuid>
306
VMware, Inc.
<type>
</type>
<name></name>
<scope>
<id></id>
<name></name>
</scope>
</securityPolicy>
<serviceName></serviceName>
<invalidServiceId></invalidServiceId>
<vendorTemplateName></vendorTemplateName>
<invalidVendorTemplateId></invalidVendorTemplateId>
</action>
<action>
</action>
...
...
<action>
...
</action>
<actionsByCategory>
<vsmUuid></vsmUuid>
<type>
</type>
<name></name>
<securityPolicy>
<vsmUuid></vsmUuid>
<type>
</type>
<name></name>
<scope>
<id></id>
<name></name>
</scope>
</securityPolicy>
<logged></logged>
<serviceProfile>
VMware, Inc.
307
<vsmUuid></vsmUuid>
<type>
</type>
<name>P</name>
<clientHandle>
</clientHandle>
<profileAttributes>
<id></id>
<attribute>
<id></id>
<key></key>
<name></name>
<value></value>
</attribute>
<attribute>
...
</attribute>
</profileAttributes>
<service>
<vsmUuid></vsmUuid>
<type>
</type>
<name></name>
</service>
<vendorTemplate>
<id></id>
<name></name>
<idFromVendor></idFromVendor>
<vendorAttributes>
<id></id>
</vendorAttributes>
</vendorTemplate>
<status></status>
<vendorAttributes>
<id></id>
</vendorAttributes>
<runtime>
<nonCompliantDvpg/>
<nonCompliantVwire/>
</runtime>
<serviceProfileBinding>
<distributedVirtualPortGroups/>
<virtualWires/>
<excludedVnics/>
<virtualServers/>
</serviceProfileBinding>
</serviceProfile>
</action>
<action>
</action>
...
...
308
VMware, Inc.
<action>
...
</action>
</securityActionsByCategoryMap>
Query Security Action Applicable on A Virtual Machine

YoucanfetchthesecurityactionsapplicableonavirtualmachineforallExecutionOrderCategories.Thelist
ofSecurityActionsperExecutionOrderCategoryissortedbasedontheweightofsecurityactionsin
descendingorder.TheisActivetagindicateswhetherasecurityactionwillbeapplied(bytheenforcement
engine)onthevirtualmachine.
Example 10-10. Query security actions on a virtual machine
Request:
GET https://<nsxmgr-ip>/api/2.0/services/policy/virtualmachine/VM_ID//securityactions
ResponseBody:
<securityPolicies>
...
...
</securityPolicies>
Query Security Policies Mapped to a Security Group

Youcanretrievethesecuritypoliciesmappedtoasecuritygroup.Thelistissortedbasedontheprecedence
ofsecuritypolicyprecedenceindescendingorder.Thesecuritypolicywiththehighestprecedence(highest
numericvalue)isthefirstentry(index=0)inthelist.
Example 10-11. Query security policies mapped to a security group
Request:
GET https://<nsxmgr-ip>/api/2.0/services/policy/securitygroup/securitygroupID/securitypolicies
ResponseBody:
<securityPolicies>
...
...
</securityPolicies>
Query Service Provider Data

Youcanquerytheserviceproviderofagivencategorytofetchanobjectcontainingproviderspecificdata
basedontherequestedproperty/valuepairs.
Example 10-12. Query service provider data
Request:
GET https://<nsxmgr-ip>/api/2.0/services/policy/serviceprovider/category
VMware, Inc.
309
RequestBody:
<keyValues>
<keyValue>
<key></key>
<value></value>
</keyValue>
<keyValue>
..
</keyValue>
..
..
<keyValue>
..
</keyValue>
</keyValues>
Query Security Group Effective Membership

Retrieveseffectivemembershipofasecuritygroupintermsofvirtualmachines.Theeffectivemembershipis
calculatedusingallthethreemembershipcomponentsofasecuritygroupstaticinclude,staticexclude,and
dynamicusingthefollowingformula:
Effectivemembershipvirtualmachines=[(VMsresultingfromstaticincludecomponent+VMsresultingfrom
dynamiccomponent)(VMsresultingfromstaticexcludecomponent)]
Example 10-13. Query virtual machines in a security group
Request:
GET https://<nsxmgr-ip>/api/2.0/services/securitygroup/{securityGroupId}/translation/virtualmachines
Query Security Groups to which a VM Belongs

Retrievesthecollectionofsecuritygroupstowhichavirtualmachineisadirectorindirectmember.Indirect
membershipinvolvesnestingofsecuritygroups.
Example 10-14. Query security groups to which a virtual machine belongs
Request:
GET https://<nsxmgr-ip>/api/2.0/services/securitygroup/lookup/virtualmachine/<virtualMachineId>
310
VMware, Inc.
11
Data Security Configuration
11
DataSecurityprovidesvisibilityintosensitivedatastoredwithinyourorganizationsvirtualizedandcloud
environments.BasedontheviolationsreportedbyDataSecurity,youcanensurethatsensitivedatais
adequatelyprotectedandassesscompliancewithregulationsaroundtheworld.
DataSecurityUserRolesonpage 311
DefiningaDataSecurityPolicyonpage 312
SavingandPublishingPoliciesonpage 317
DataSecurityScanningonpage 318
QueryingScanResultsonpage 319
QueryingViolationDetailsonpage 323
TobeginusingDataSecurity,youcreateapolicythatdefinestheregulationsthatapplytodatasecurityinyour
organizationandspecifiestheareasofyourenvironmentandfilestobescanned.WhenyoustartaData
Securityscan,analyzesthedataonthevirtualmachinesinyourvSphereinventoryandreportsthenumberof
violationsdetectedandthefilesthatviolatedyourpolicy.
Afteryouanalyzetheresultsofthescan,youcanedityourpolicyasrequired.Whenyoueditapolicy,you
mustenableitbypublishingthechanges.
NotethatyoucannotinstallDataSecurityusingaRESTAPI.ForinformationoninstallingDataSecurity,see
theNSXInstallationandUpgradeGuide.
TodeployDataSecurity,youmustinstallthelatestversionofVMwareToolsoneachvirtualmachinethatyou
wanttoscan.ThisinstallsaThinAgent,whichallowstheSVMtoscanthevirtualmachines.
Data Security User Roles

Ausersroledeterminestheactionsthattheusercanperform.Ausercanonlyhaveonerole.Youcannotadd
aroletoauser,orremoveanassignedrolefromauser,butyoucanchangetheassignedroleforauser.
Table 11-1. Data Security User Roles
Role
Actions Allowed
Enterpriseadministrator
Alloperationsandsecurity.
vShieldadministrator
NSXoperationsonly:forexample,installvirtualappliances,andconfigureportgroups.
Securityadministrator
Createandpublishpolicies,viewviolationreports.Cannotstartorstopdatasecurityscans.
Auditor
Viewconfiguredpoliciesandviolationreports.Readonly.
VMware, Inc.
311
Defining a Data Security Policy

Inordertodetectsensitivedatainyourenvironment,youmustcreateadatasecuritypolicy.Youmustbea
SecurityAdministratortocreatepolicies.
Todefineapolicy,youmustspecifythefollowing:
Regulations
AregulationisadataprivacylawforprotectingPCI(PaymentCardIndustry),PHI(ProtectedHealth
Information)andPII(PersonallyIdentifiableInformation)information.Youcanselecttheregulationsthat
yourcompanyneedstocomplyto.Whenyourunascan,DataSecurityidentifiesdatathatviolatesthe
regulationsinyourpolicy,andishencesensitiveforyourorganization.
Participatingareas
Bydefault,yourentirevCenterinventoryisscanned.Toscanasubsetofyourinventory,youcanspecify
thesecuritygroupsthatyouwanttoincludeorexclude.
Filefilters
Youcancreatefilterstolimitthedatabeingscannedandexcludethefiletypesunlikelytocontain
sensitivedatafromthescan.
InthedatasecurityAPIs,dlpinthepathnamestandsfordatalossprevention(DLP).
Query Regulations
Youcanretrievethelistofavailableregulationsforapolicy.TheoutputincludesregulationIDsandthe
embeddedclassificationsforeachregulation.
Example 11-1. Get all SDD policy regulations
Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/regulation
Response:
<set>
<Regulation>
Regulation ID
<id>66</id>
<name>California AB-1298</name>
<description>Identifies documents and transmissions that contain protected health information (ePHI) and personally
identifiable information (PII) as regulated by California AB-1298 (Civil Code 56, 1785 and 1798)...
<classifications>
<Classification>
<id>10</id>
Classification ID
<name>Credit Card Track Data</name>
<providerName>Credit Card Track Data</providerName>
<description>Credit Card Track Data</description>
<customizable>false</customizable>
</Classification>
...
Enable a Regulation
YoucanenableoneormoreregulationsbyputtingtheregulationIDsintothepolicy.Youcangetthe
appropriateregulationIDsfromtheoutputoftheretrieveregulationsAPI(seeExample 111).Intheexample
requestbody,regulation66isCaliforniaAB1298,andregulations67and68originateelsewhere.
Example 11-2. Enable a regulation
Request:
312
VMware, Inc.
Chapter 11 Data Security Configuration
PUT https://<nsxmgr-ip>/api/2.0/dlp/policy/regulations
RequestBody:
<set>
<long>66</long>
<long>67</long>
<long>68</long>
</set>
Query Classification Value

YoucanretrievetheclassificationvaluesassociatedwithregulationsthatmonitorGroupInsuranceNumbers,
HealthPlanBeneficiaryNumbers,MedicalRecordNumbers,orPatientIdentificationNumbers.Theoutput
includestheclassificationID.
Example 11-3. Get all classification values associated with customizable classifications
Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/classificationvalue
Configure a Customized Regex as a Classification Value

YoucanconfigureaClassificationValuewithacustomizedregexthatmustbematchedduringviolation
inspection.YoumustincludetheappropriateclassificationID,whichyoucangetfromtheoutputofthe
retrieveclassificationvalueAPI.
Example 11-4. Configure a customized regex as a classification value

Request:
PUT https://<nsxmgr-ip>/api/2.0/dlp/policy/classificationvalues
<set>
Classification ID
<ClassificationValue>
<id>3</id>
<classification>
<id>15</id>
<name>Health Plan Beneficiary Numbers</name>
<providerName>Health Plan Beneficiary Numbers</providerName>
Regex
<description>Health Plan Beneficiary Numbers</description>
<customizable>true</customizable>
</classification>
<value>PATNUM-[0-9]{10}</value>
</ClassificationValue>
</set>
View the List of Excludable Areas

Youcanretrievethelistofdatacenters,clusters,andresourcepoolsinyourinventorytohelpyoudetermine
theareasyoumightwanttoexcludefrompolicyinspection.
Example 11-5. View the list of excludable areas
Request:
VMware, Inc.
313
GET https://<nsxmgr-ip>/api/2.0/dlp/excludableareas
Response:
<set>
<EnhancedInfo>
<objectId>datacenter-2</objectId>
<name>jdoe</name>
<ownerName>VMware</ownerName>
</EnhancedInfo>
<EnhancedInfo>
<objectId>datacenter-94</objectId>
<name>jdoe</name>
<ownerName>VMware</ownerName>
</EnhancedInfo>
<EnhancedInfo>
<objectId>resgroup-3725</objectId>
<name>ResourcePool1</name>
<objectTypeName>ResourcePool</objectTypeName>
<ownerName>jdoe</ownerName>
</EnhancedInfo>
<EnhancedInfo>
<name>Cluster1</name>
</EnhancedInfo>
<EnhancedInfo>
<objectId>resgroup-3726</objectId>
<name>ResourcePool2</name>
<objectTypeName>ResourcePool</objectTypeName>
</EnhancedInfo>
</set>
Exclude Areas from Policy Inspection

ThisAPIisdeprecatedasof5.0.1.Instead,usetheAPIforexcludingsecuritygroupsfromascan.Formore
information,seeExample 118,Excludeasecuritygroupfromthescan,onpage 315.
Youcanexcludeoneormoredatacenters,resourcepoolsorclustersfrompolicyinspectionbyincludingthe
objectIDofeachareatoexclude.YoucangettheobjectIDfromtheoutputoftheViewthelistofexcludable
areasAPI(seeExample 115).
Example 11-6. Exclude areas from policy inspection
Request:
PUT https://<nsxmgr-ip>/api/2.0/dlp/policy/excludedareas
<set>
<string>datacenter-3720</string>
</set>
314
VMware, Inc.
Specify Security Groups to be Scanned

Toscanasubsetofyourinventory,youcanspecifythesecuritygroupsthatyouwanttoincludeorexcludein
thedatasecurityscan.
Example 11-7. Include a security group in the scan
Request:
PUT https://<nsxmgr-ip>/api/2.0/dlp/policy/includedsecuritygroups/
RequestBody:
<set>
<string>securitygroup-id-1</string>
</set>
Example 11-8. Exclude a security group from the scan

Request:
PUT https://<nsxmgr-ip>/api/2.0/dlp/policy/excludedsecuritygroups/
RequestBody:
<set>
</set>
Query Security Groups Being Scanned

Youcanretrievethesecuritygroupsthathavebeenincludedorexcludedfromdatasecurityscans.
Example 11-9. Get included security groups
Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/policy/includedsecuritygroups
Response:
<set>
<basicinfo>
<objectId>securitygroup-1</objectId>
<type>
<typeName>SecurityGroup</typeName>
</type>
<name>included</name>
<objectTypeName>SecurityGroup</objectTypeName>
<scope>
<name>jkiryakoza</name>
</scope>
</basicinfo>
</set>
Example 11-10. Get excluded security groups

Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/policy/excludedsecuritygroups/
VMware, Inc.
315
Response:
<set>
<basicinfo>
<type>
</type>
<scope>
</scope>
</basicinfo>
</set>
Configure File Filters

Youcanrestrictthefilesyouwanttoscanbasedonsize,lastmodifieddate,orfileextensions.
Thefollowingfilefiltersareavailable:
sizeLessThanBytesscanonlyfileswithabytesizelessthanthespecifiednumber.
lastModifiedBeforescanonlyfilesmodifiedbeforethespecifieddate.Thedatemustbespecifiedin
GMTformat(YYYYMMDDHH:MM:SS).
lastModifiedAfterscanonlyfilesmodifiedafterthespecifieddate.ThedatemustbespecifiedinGMT
format(YYYYMMDDHH:MM:SS).
extensionsIncludedBooleanvalueasinTable 111.
Table 11-2. Included extensions parameter
Value of the extensionsIncluded parameter
Result
truefollowedbytheextensionsparameter
containingoneormoreextensions
Onlyfileswiththespecifiedextensionsarescanned
falsefollowedbytheextensionsparameter
containingoneormoreextensions
Allfilesarescannedexceptthosewiththespecifiedextensions.
ThescanAllFilesparameterdeterminesifallfilesshouldbeinspectedduringascanoperation.Thisparameter
overridesallotherparameters,sosetthisparametertofalseifyouareconfiguringafilter.
Example 11-11. Scan only PDF and XLXS files modified after 10/19/2011
Request:
PUT https://<nsxmgr-ip>/api/2.0/dlp/policy/FileFilters
<FileFilters>
<scanAllFiles>false</scanAllFiles>
<lastModifiedAfter>2011-10-19 15:16:04.0 EST</lastModifiedAfter>
<extensionsIncluded>true</extensionsIncluded>
<extensions>pdf,xlsx</extensions>
</FileFilters>
Example 11-12. Scan all files except PDF and XLXS files
Request:
<FileFilters>
316
VMware, Inc.
<extensionsIncluded>false</extensionsIncluded>
</FileFilters>
Example 11-13. Scan PDF and XLXS files that are less than 100 MB in size
Request:
<FileFilters>
<sizeLessThanBytes>100000000</sizeLessThanBytes>
</FileFilters>
Saving and Publishing Policies

Afteryouhavedefinedadatasecuritypolicy,youcanedititbychangingtheregulationsselected,areas
excludedfromthescan,orthefilefilters.Toapplytheeditedpolicy,youmustpublishit.
Query Saved Policy

Asabestpractice,youshouldretrieveandreviewthelastsavedpolicybeforepublishingit.Eachpolicy
containsarevisionvaluethatcanbeusedtotrackversionhistory.
Example 11-14. Get saved SDD policy
Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/policy/saved
Response:thefollowingresponsecontainsapolicywithasingleregulation,IndianaHB1101.
<DlpPolicy>
<objectId>DlpPolicy-1</objectId>
<type>
<typeName>DlpPolicy</typeName>
</type>
<name>DlpPolicy-One</name>
<objectTypeName>DlpPolicy</objectTypeName>
<regulations>
<Regulation>
<id>37</id>
<name>Indiana HB-1101</name>
<description>Indiana HB-1101</description>
<classifications>
<Classification>
<id>16</id>
<name>US National Provider Identifier</name>
<providerName>US National Provider Identifier</providerName>
<description>US National Provider Identifier</description>
<customizable>false</customizable>
</Classification>
<classifications>
<regions>
<string>North America</string>
<string>USA</string>
</regions>
<categories>
<string>PHI</string>
<string>PCI</string>
VMware, Inc.
317
<string>PII</string>
</categories>
</Regulation>
</regulations>
<regulationsChanged>false</regulationsChanged>
<excludedAreas/>
<excludedAreasChanged>false</excludedAreasChanged>
<fileFilters>
<extensionsIncluded>false</extensionsIncluded>
</fileFilters>
<fileFiltersChanged>false</fileFiltersChanged>
<classificationValues>
<id>1</id>
<classification>
<id>19</id>
<name>Patient Identification Numbers</name>
<providerName>Patient Identification Numbers</providerName>
<description>Patient Identification Numbers</description>
</classification>
<value>deg</value>
</classificationValues>
<classificationValuesChanged>false</classificationValuesChanged>
<lastUpdatedOn class="sql-timestamp">2012-01-04 21:25:08.0</lastUpdatedOn>
<lastUpdatedBy>admin</lastUpdatedBy>
</DlpPolicy>
Query Published Policy

YoucanretrievethecurrentlypublishedSDDpolicythatisactiveonallvShieldEndpointSVMs.
Example 11-15. Get published SDD policy
Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/policy/published
Publish the Updated Policy

Afterupdatingapolicywithaddedregulations,excludedareas,orcustomizedregexvaluespublishthepolicy
toenforcethenewparameters.
Example 11-16. Publish the updated policy
Request:
PUT https://<nsxmgr-ip>/api/2.0/dlp/policy/publish
Data Security Scanning

Runningadatasecurityscanidentifiesdatainyourvirtualenvironmentthatviolatesyourpolicy.
Allvirtualmachinesinyourdatacenterarescannedonceduringascan.Ifthepolicyiseditedandpublished
whileascanisrunning,thescanrestarts.Thisrescanensuresthatallvirtualmachinescomplywiththeedited
policy.Arescanistriggeredbypublishinganeditedpolicy,notbydataupdatesonyourvirtualmachines.
Afteryoustartascan,itcontinuestorununtilyoupauseorstopit.
318
VMware, Inc.
Ifnewvirtualmachinesareaddedtoyourinventorywhileascanisinprogress,thosemachineswillalsobe
scanned.Ifavirtualmachineismovedtoanexcludedclusterorresourcepoolwhilethedatasecurityscanis
inprogress,thefilesonthatvirtualmachinearenotscanned.IncaseavirtualmachineismovedviavMotion
toanotherhost,thescancontinuesonthesecondhost(filesthatwerescannedwhilethevirtualmachinewas
ontheprevioushostarenotscannedagain).
DataSecurityscansonevirtualmachineonahostatatimetominimizeimpactonperformance.VMware
recommendsthatyoupausethescanduringnormalbusinesshourstoavoidanyperformanceoverhead.
Start, Pause, Resume, or Stop a Scan Operation

Youcanstartorstopascanoperation.Thescanoperationoptionsareasfollows:
START:Startanewscan.
PAUSE:Pauseastartedscan.
RESUME:Resumeapausedscan.
STOP:Stopanyscan.
Example 11-17. Start, pause, resume, or stop a scan operation

Request:
PUT https://<nsxmgr-ip>/api/2.0/dlp/scanop
<ScanOp>STOP</ScanOp>
Query Status for a Scan Operation

YoucanretrievethestatusofthescanoperationtodetermineifascanisSTARTED(thatis,inprogress),
PAUSED,orSTOPPED.ThenextScanOpsparameterindicatesthescanoperationspossiblefromyourcurrent
state.Inthefollowingexample,thecurrentscanstateisStoppedandtheonlyactionyoucanperformisStart
thescan.
Example 11-18. Get scan status
Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/scanstatus
Response:
<DlpScanStatus>
<currentScanState>STOPPED</currentScanState>
<nextScanOps><ScanOp>START</ScanOp></nextScanOps>
<vmsInProgress>0</vmsInProgress>
<vmsCompleted>0</vmsCompleted>
</DlpScanStatus>
Querying Scan Results

Youcanretrievedetailedresultsofthecurrentdatasecurityscanaswellassummaryresultsfortheprevious
fivescans.
Get List of Virtual Machines Being Scanned

Youcanretrieveinformationaboutthevirtualmachinesbeingscannedbyascan.
Example 11-19. Get list of virtual machines being scanned
Request:
VMware, Inc.
319
GET https://<nsxmgr-ip>/api/2.0/dlp/scan/current/vms/<id>
?scanstatus=COMPLETED&pagesize=10&startindex=1
Response:
<VmScanStatusDp>
<dataPage>
<pagingInfo>
</pagingInfo>
<VmScanStatus>
<vmMoId>vm-25</vmMoId>
<scanStatus>COMPLETED</scanStatus>
<violationCount>8</violationCount>
<vmName>jim-win2k8-32-mux</vmName>
<dcName>jack</dcName>
</VmScanStatus>
</dataPage>
</VmScanStatusDp>
Where
idisanoptionalparameterwhichlimitsthefilterresultsbytheVCMOIDofadatacenter,cluster,or
resourcepool.
scanstatusspecifiesthescanstatusofthevirtualmachinestoberetrieved.Possiblevaluesareall,notstarted,
started,andcompleted.Thislimitstheresultstovirtualmachinesthathavethespecifiedscanstate.
pagesizelimitsthemaximumnumberofentriesreturnedbytheAPI.Thedefaultvalueforthisparameter
is256andthevalidrangeis11024.
startindexspecifiesthestartingpointforretrievingthelogs.Ifthisparameterisnotspecified,logsare
retrievedfromthebeginning.
Get Number of Virtual Machines Being Scanned

Youcanretrievethenumberofvirtualmachinesbeingscanned.
Example 11-20. Get number of virtual machines being scanned
Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/scan/current/vms/count/<id>?scanstatus=COMPLETED
Where
scanstatusisanoptionalparameterthatspecifiesthescanstatusofthevirtualmachinestoberetrieved.
Possiblevaluesareall,notstarted,started,andcompleted.Thislimitstheresultstovirtualmachinesthathave
thespecifiedscanstate.
idisanoptionalparameterwhichlimitsthefilterresultsbytheVCMOIDofadatacenter,cluster,or
resourcepool.
Get Summary Information about the Last Five Scans

Youcanretrievethestartandendtime,totalnumberofvirtualmachinesscanned,andtotalnumberof
violationsforthelastfivecompleteddatasecurityscans.
320
VMware, Inc.
Example 11-21. Get summary information about last five scans

Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/completedscansummaries
Response:
<list>
<CompletedScanSummary>
<globalScanId>5</globalScanId>
<startTime class="sql-timestamp">2011-11-09 17:02:48.0</startTime>
<endTime class="sql-timestamp">2011-11-09 17:02:55.0</endTime>
<totalVmsScannedCount>0</totalVmsScannedCount>
<totalViolationCount>0</totalViolationCount>
</CompletedScanSummary>
</list>
Scan ID
Get Information for Virtual Machines Scanned During Previous Scan

Youcanretrievethefollowinginformationaboutthevirtualmachinesscannedduringthepreviousdata
securityscan:
ID
Name
Scanstatus
Violationcount
Example 11-22. Get Information for virtual machines scanned during last scan
Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/scan/<scan_ID>/detailsascsv
Retrieve Information About Previous Scan Results

YoucanretrieveadetailedreportabouttheresultsofthepreviousscaninaCSVformat.
Example 11-23. Retrieves Information for virtual machines scanned during last scan
Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/scan/<scan_ID>/violatingfilesascsv
Get XML Representation of Policy Used for Previous Scan

YoucanretrievetheXML representation of the policyusedinthepreviousscan.
Example 11-24. Get XML representation of policy used in previous scan
Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/scan/<scan_ID>/policyasxml
Response:
<DlpPolicy>
<objectId>dlppolicy-2</objectId>
<type>
<typeName>DlpPolicy</typeName>
VMware, Inc.
321
</type>
<name>Published Policy</name>
<objectTypeName>DlpPolicy</objectTypeName>
<regulations/>
<regulationsChanged>false</regulationsChanged>
<excludedAreas/>
<excludedAreasChanged>false</excludedAreasChanged>
<excludedSecurityGroups>
<basicinfo>
<type>
</type>
<scope>
</scope>
</basicinfo>
</excludedSecurityGroups>
<excludedSecurityGroupsChanged>false</excludedSecurityGroupsChanged>
<includedSecurityGroups>
<basicinfo>
<type reference="../../../excludedSecurityGroups/basicinfo/type"/>
<scope>
</scope>
</basicinfo>
</includedSecurityGroups>
<includedSecurityGroupsChanged>false</includedSecurityGroupsChanged>
<fileFilters>
<extensions>doc,docm,docx,dot,dotx,dotm,wri,xla,xlam,xls,xlt,xltx,xltm,xlsx,xlsb,xlsm,ppt,pptx,pptm,pot,potx,potm,ppsx,ppsm,mdb,
mpp,pdf,txt,log,csv,htm,html,xml,text,rtf,svg,ps,gs,vis,msg,rfc822,pm,swf,dgn,jpg,CATAnalysis,CATDrawing,C
ATFCT,CATMaterial,CATPart,CATProcess,CATProduct,CATShape,CATSWL,CATSystem,3DXML,7z,cab,emx,
gz,hqx,jar,lha,lzh,rar,tar,uue,z,zip,eml,mail,cal,cont,task,note,jrnl,pst</extensions>
</fileFilters>
<fileFiltersChanged>false</fileFiltersChanged>
<classificationValues>
<id>33</id>
<classification>
<id>90</id>
<name>Custom Accounts</name>
<providerName>Custom Accounts</providerName>
<description>Custom Accounts</description>
</classification>
...
<classificationValuesChanged>false</classificationValuesChanged>
<lastUpdatedOn class="sql-timestamp">2011-11-09 16:59:01.0</lastUpdatedOn>
<lastUpdatedBy>dlp</lastUpdatedBy>
322
VMware, Inc.
</DlpPolicy>
Querying Violation Details

Onceyoustartadatasecurityscan,NSXreportstheregulationsthatarebeingviolatedbythefilesinyour
inventory,andtheviolatingfiles.Ifyoufixaviolatingfile(bydeletingthesensitiveinformationfromthefile,
deletingorencryptingthefile,oreditingthepolicy),thefilewillcontinuetobedisplayedintheViolatingfiles
sectionuntilthecurrentscancompletes,andanewscanstartsandcompletes.
YoumustbeaSecurityAdministratororAuditortoviewreports.
Get List of Violation Counts

Youcanviewareportthatdisplaystheviolatedregulationswiththenumberofviolationsforeachregulation.
TheviolatingfilesreportrequiresfilteringbynodeID.
Example 11-25. Get violation count for entire inventory
Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/violations/
Example 11-26. Get violation count for specific resource

Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/violations/<context_ID>
ResponseBody
<list>
<Violations>
<scope>
<objectId>group-d1</objectId>
<type>
<typeName>Folder</typeName>
</type>
<name>Datacenters</name>
<objectTypeName>Folder</objectTypeName>
</scope>
<regulation>
<id>100</id>
<name>California AB-1298</name>
<description>Identifies documents and transmissions that contain protected health information (ePHI) and personally
identifiable information (PII) as regulated by California AB-1298 (Civil Code 56, 1785 and
1798). California residents medical and health insurance information, when combined with
personally identifiable information must be protected from unauthorized access, destruction, use,
modification, or disclosure. Any business that operates in California and owns or licenses
computerized ePHI and PII data for California residents, regardless of the physical location of
the business, is required to comply with this law. This policy detects US Social Security
Numbers, credit card numbers, California drivers license numbers, US National Provider
Numbers, group insurance numbers, health plan beneficiary numbers, medical record numbers,
patient identifiers, birth and death certificates and Healthcare Dictionaries.
</description>
<classifications>
<Classification>
<id>76</id>
<name>Health Plan Beneficiary Numbers</name>
<providerName>Health Plan Beneficiary Numbers</providerName>
<description>Health Plan Beneficiary Numbers</description> <customizable>true</customizable>
</Classification>
...
<regions>
VMware, Inc.
323
<string>NA</string>
</regions>
<categories>
<string>PHI</string>
<string>PCI</string>
<string>PII</string>
</categories>
</regulation>
</Violations>
<Violations>
</list>
Wherecontext_ID istheMOIDofadatacenter,cluster,folder,resourcepool,orvirtualmachine.
Get List of Violating Files

Youcanviewareportthatdisplaystheviolatingfilesandtheregulationseachfileviolated.ThisAPIrequires
filteringbycontextnodeID,andreturnsaformattedXMLreportshowingviolatingfiles.
Example 11-27. Get violating files for entire inventory
Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/violatingfiles?pagesize=<i>&startindex=<j>
Where:
pagesizeisthenumberofresultstoview.
startindexisthepagenumberfromwhichtheresultsshouldbedisplayed.
Example 11-28. Get violating files for a resource

Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/violatingfiles/<context_ID>?pagesize=<i>&startindex=<j>
ResponseBody:
<ViolatingFiles>
<dataPage>
<pagingInfo>
</pagingInfo>
<ViolatingFile>
<identifier>59</identifier>
<fileName>C:\TruePositives\SocialSecurityNumbersTP1.05.txt</fileName>
<fileExtension />
<fileLastModifiedTime class="sql-timestamp">2011-02-01 15:02:00.0</fileLastModifiedTime>
<vm>
<name>jim-xp32-dlp1</name>
</vm>
<cluster>
<name>JimCluster</name>
</cluster> \
<dataCenter>
</dataCenter>
324
VMware, Inc.
<violations>
<ViolationInfo>
<identifier>99</identifier>
<regulation>
<objectId>152</objectId>
<name>California SB-1386</name>
<description>Identifies documents and transmissions that contain personally identifiable information
(PII) as regulated by California SB-1386 (Civil Code 1798). Businesses that
own or license computerized PII about California residents are required to
maintain security procedures and practices to protect it from unauthorized
access, destruction, use, modification, or disclosure. Any business that operates
in California and owns or licenses computerized PII data for California
residents, regardless of the physical location of the business, is required to
comply with this law. This policy detects US Social Security numbers, credit
card numbers and California drivers license numbers. This regulation has been
amended to protect health and medical information that can be found in
California AB-1298. </description>
<revision>0</revision> </regulation>
<firstViolationReportedTime class="sql-timestamp">2012-01-26
12:56:42.0</firstViolationReportedTime>
<lastViolationReportedTime class="sql-timestamp">2012-01-26
12:56:42.0</lastViolationReportedTime>
<cumulativeViolationCount>1</cumulativeViolationCount>
</ViolationInfo>
</violations>
</ViolatingFile>
</dataPage>
</ViolatingFiles>
Where:
context_IDistheMOIDofadatacenter,cluster,folder,resourcepool,orvirtualmachine..
pagesizeisthenumberofresultstoview.
startindexisthepagenumberfromwhichtheresultsshouldbedisplayed.
Get List of Violating Files in CSV Format

YoucanviewareportthatdisplaystheviolatingfilesandtheregulationseachfileviolatedinaCSVformat.
Example 11-29. Get list of violating files in CSV format
Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/violatingfilesascsv
Get Violations in Entire Inventory

YoucanviewareportoftheviolatedregulationsandtheviolatingfilesfortheentireinventoryinCSV(comma
separatedvariable)format.
Example 11-30. Get list of violated regulations
Request:
GET https://<nsxmgr-ip>/api/2.0/dlp/violatingfilescsv/<context_ID>
Wherecontext_ID istheMOIDofadatacenter,cluster,folder,resourcepool,orvirtualmachine.
VMware, Inc.
325
326
VMware, Inc.
12
Activity Monitoring
12
ActivityMonitoringprovidesvisibilityintoyourvirtualnetworktoensurethatsecuritypoliciesatyour
organizationarebeingenforcedcorrectly.
ASecuritypolicymaymandatewhoisallowedaccesstowhatapplications.TheCloudadministratorcan
generateActivityMonitoringreportstoseeiftheIPbasedfirewallrulethattheysetisdoingtheintended
work.Byprovidinguserandapplicationleveldetail,ActivityMonitoringtranslateshighlevelsecuritypolicies
tolowlevelIPaddressandnetworkbasedimplementation.
OnceyouenabledatacollectionforActivityMonitoring,youcanrunreportstoviewinboundtraffic(suchas
virtualmachinesbeingaccessedbyusers)aswellasoutboundtraffic(resourceutilization,interactionbetween
inventorycontainers,andADgroupsthataccessedaserver).
DataCollectiononpage 327
QueryResourcesonpage 330
QueryUserDetailsonpage 333
QueryDiscoveredUserDetailsonpage 337
WorkingwithDomainsonpage 338
WorkingwithActivityMonitoringSyslogSupportonpage 341
Data Collection
YoumustenabledatacollectionforoneormorevirtualmachinesonavCenterServerbeforerunningan
ActivityMonitoringreport.Beforerunningareport,ensurethattheenabledvirtualmachinesareactiveand
aregeneratingnetworktraffic.
YoushouldalsoregisterNSXManagerwiththeADDomainController.SeeWorkingwithDomainson
page 338.
NotethatonlyactiveconnectionsaretrackedbyActivityMonitoring.Virtualmachinetrafficblockedby
firewallrulesatthevNIClevelisnotreflectedinreports.
Incaseofanemergencysuchasanetworkoverload,youcanturnoffdatacollectionatagloballevel.This
overridesallotherdatacollectionsettings.
SomeAPIcallsmayrequiretheVMID,whichistheMOIDoftheguestvirtualmachine.Youcanretrievethis
byqueyingthevCentermobstructure(https:<vcip>/mob).TheVMIDislistedunderhoststructure.
VMware, Inc.
327
Enable Data Collection on a Single Virtual Machine

YoumustenabledatacollectionatleastfiveminutesbeforerunninganActivityMonitoringreport.
Example 12-1. Enable data collection on a virtual machine
Request:
POST https://<nsxmgr_ip>/api/1.0/eventcontrol/vm/<vmID>/request
RequestBody:
<perVmConfig>
<actions>
<action>
<type>per_vm_config</type>
<value>enabled</value>
</action>
</actions>
</perVmConfig>
Disable Data Collection on a Single Virtual Machine

Example 12-2. Disable data collection on a virtual machine
Request:
POST https://<nsxmgr_ip>/api/1.0/eventcontrol/vm/<vmID>/request
RequestBody:
<perVmConfig>
<actions>
<action>
<value>disabled</value>
</action>
</actions>
</perVmConfig>
Override Data Collection

Incaseofanemergencysuchasanetworkoverload,youcanturnoffdatacollectionatagloballevel(jill
switch).Thisoverridesallotherdatacollectionsettings.
Turn On Kill Switch

Example 12-3. Turn on kill switch
Request:
POST https://<nsxmgr_ip>/api/1.0/eventcontrol/eventcontrol-root/request
RequestBody:
<request>
<actions>
<action>
<type>global_switch</type>
</action>
</actions>
</request>
328
VMware, Inc.
Chapter 12 Activity Monitoring
Turn Off Kill Switch

Example 12-4. Turn off kill switch
Request:
POST https://<nsxmgr_ip>/api/1.0/eventcontrol/eventcontrol-root/request
RequestBody:
<request>
<actions>
<action>
</action>
</actions>
</request>
Query Per Virtual Machine Data Collection

Whenreportingpervirtualmachineconfiguration,currentkillswitchstatusisalsoreportedtoo.Theeffective
configurationofavirtualmachineisdeterminedbybothkillswitchconfigandpervirtualmachine
configuration.Ifkillswitchison,eventcollectioniseffectivelydisabledregardlessofwhatitspervirtual
machineconfigurationis;ifkillswitchisoff,pervirtualmachineconfigurationdetermineswhetherevent
collectionshouldbeperformedforthisvirtualmachine.
Example 12-5. Retrieve per virtual machine configuration when kill switch is on and when per virtual machine
configuration is enabled for specified virtual machine
Request:
GET https://<nsxmgr_ip>/api/1.0/eventcontrol/eventcontrol/config/vm/<vm-id>
ResponseBody:
<perVmConfig>
<actions>
<action>
</action>
<action>
</action>
</actions>
</perVmConfig>
Example 12-6. Retrieve per virtual machine configuration when kill switch is off and when per virtualmachine
configuration is enabled for specified virtual machine
Request:
GET https://<nsxmgr_ip>/api/1.0/eventcontrol/eventcontrol/config/vm/<vm-id>
ResponseBody:
<perVmConfig>
<actions>
<action>
VMware, Inc.
329
</action>
<action>
</action>
</actions>
</perVmConfig>
Query Resources
Thismethodallowyoutogettheaggregateduseractivity(actionrecords)forthegivensetofparameters.The
sameAPIisusedforallreports.
Prerequisites
vShield Endpoint must be installed in your environment. See NSX Installation and Upgrade Guide.
NSX Manager must be registered with Active Directory.
Data collection must be enabled on one or more virtual machines.
Table 12-1. Parameters for GET https://<nsxmgr-ip>/api/3.0/ai/records

Parameter
Name
Description
Mandatory?
Valid Values
Default Value
Example
query
Nameofreport
Yes
resource,adg,containers,
sam,vma
query=resource
None
interval
Relativetimeto
currenttime
Yes
numberfollowedbyeither
ofm,h,d,ors
interval=60m,
interval=1h
60m
stime
Starttimeforquery
No.Intervalis
usedifstimeand
etimearenot
specified.
yyyymmddTh24:mi:ss
stime=20120228T21:00
:00
None
etime
Endtimeforquery
No.Intervalis
usedifstimeand
etimearenot
specified.
yyyymmddTh24:mi:ss
etime=20120229T21:00
:00
None
param
Parametertobe
appliedtoquery
Dependson
query
format,
<paramname>:<paramtyp
e>:<commaseparatedvalu
es>:<operator>
param:src:SECURITY_
GROUP:1:INCLUDE
None
pagesize
Numberofrecordsto
beretrieved
No
Anynumber
(recommendedisbetween
1002000)
pagesize=1000
1024
startindex
Startrecordnumber
(usedforpagination)
No
numberforthenextpage
youwanttoretrieve
startindex=100
View Outbound Activity

Youcanviewwhatapplicationsarebeingrunbyasecuritygroupordesktoppoolandthendrilldowninto
thereporttofindoutwhichclientapplicationsaremakingoutboundconnectionsbyaparticulargroupof
users.Youcanalsodiscoverallusergroupsanduserswhoareaccessingaparticularapplication,whichcan
helpyoudetermineifyouneedtoadjustidentityfirewallinyourenvironment.
Parameter Values
330
query=resource
param=<paramname>:<paramtype>:<commaseparatedvalues>:<operator>
VMware, Inc.
possiblevaluesforresourcequerytype,
<paramname>
src
dest
app
requiredparameters=src,dest
<paramtype>
forsrcSECURITY_GROUP,DIRECTORY_GROUP,DESKTOP_POOL
fordestVIRTUAL_MACHINE
forappSRC_APP
ParameterValuescommaseparatednumbers(optional).Ifnonespecifiedthennofilterisapplied.
<operator>INCLUDE,EXCLUDE(defaultisINCLUDE)
Example 12-7. View user activities to VM id 1 originating from application id 1

Request:
GET
https://<nsxmgr_ip>/api/3.0/ai/records?query=resource&interval=60m&param=src:DIRECTORY_GROUP&par
am=dest:VIRTUAL_MACHINE:1&param=app:SRC_APP:1
View Inbound Activity

You can view all inbound activity to a server by desktop pool, security group, or AD group.
Parameter Values
query=sam
<paramname>
src
dest
app
<paramtype>
forappDEST_APP
<operator>INCLUDE,EXCLUDE,NOT(defaultisINCLUDE)

Request:
VMware, Inc.
331
GET https://<nsxmgr_ip>/api/3.0/ai/records?query=containers&interval=60m&
param=dest:SECURITY_GROUP:1:EXCLUDE&param=src:SECURITY_GROUP:1
View Interaction between Inventory Containers

YoucanviewthetrafficpassingbetweendefinedcontainerssuchasADgroups,securitygroupsand/or
desktoppools.Thiscanhelpyouidentifyandconfigureaccesstosharedservicesandtoresolvemisconfigured
relationshipsbetweenInventorycontainerdefinitions,desktoppoolsandADgroups.
Parameter Values
query=containers
<paramname>
src
dest
<paramtype>
fordestSECURITY_GROUP,DESKTOP_POOL
Example 12-9. View interaction between inventory containers

Request:
GET https://<nsxmgr_ip>/api/3.0/ai/records?query=containers&interval=60m&
param=dest:SECURITY_GROUP:1:EXCLUDE&param=src:SECURITY_GROUP:1
View Outbound AD Group Activity

YoucanviewthetrafficbetweenmembersofdefinedActiveDirectorygroupsandcanusethisdatatofine
tuneyourfirewallrules.
Parameter Values
query=adg
<paramname>
src
adg
requiredparameters=src
<paramtype>
332
srcSECURITY_GROUP,DESKTOP_POOL
adgUSER
VMware, Inc.

Request:
GET https://<nsxmgr_ip>/api/3.0/ai/records?query=adg&interval=24h&
param=adg:USER:1:INCLUDE&param=src:SECURITY_GROUP:1:EXCLUDE
Query User Details

Thismethodallowsyoutoretrieveuserdetailrecordsforthegivensetofparameters.
Table 12-2. Parameters for GET https://<nsxmgr-ip>/api/3.0/ai/userdetails

Paramete
r Name
Description
Mandatory?
Valid Values
Default Value
Example
query
Nameofreport
Yes
resource,adg,contain
ers,sam,vma
query=resource
None
interval
Relativetimeto
currenttime
Yes
numberfollowedby
eitherofm,h,d,ors
interval=60m,interval=1h
60m
stime
Starttimeforquery
No.Intervalisusedif
stimeandetimeare
notspecified.
yyyymmddTh24:mi
:ss
stime=20120228T21:00:00
None
etime
Endtimeforquery
No.Intervalisusedif
stimeandetimeare
notspecified.
yyyymmddTh24:mi
:ss
etime=20120229T21:00:00
None
param
Parametertobe
appliedtoquery
Dependsonquery
format,
<paramname>:<para
mtype>:<commasep
aratedvalues>:<oper
ator>
param:src:SECURITY_GRO
UP:1:INCLUDE
None
pagesize
Numberofrecordsto
beretrieved
No
Anynumber
(recommendedis
between1002000)
pagesize=1000
1024
startindex
Startrecordnumber
(usedforpagination)
No
numberforthenext
pageyouwantto
retrieve
startindex=100
View Outbound Activity

Youcanviewwhatapplicationsarebeingrunbyasecuritygroupordesktoppoolandthendrilldowninto
thereporttofindoutwhichclientapplicationsaremakingoutboundconnectionsbyaparticulargroupof
users.Youcanalsodiscoverallusergroupsanduserswhoareaccessingaparticularapplication,whichcan
helpyoudetermineifyouneedtoadjustidentityfirewallinyourenvironment.
Parameter Values
query=resource
possiblevaluesforresourcequerytype,
<paramname>
VMware, Inc.
src
dest
333
<paramtype>
fordestIP(thishastobeavalidIPaddressinthedotnotation,xx.xx.xx.xx)
forappSRC_APP
Example 12-11. View user activities to VM id1 originating from application id1
Request:
GET
https://<nsxmgr_ip>/api/3.0/ai/userdetails?query=resource&stime=2012-10-15T00:00:00&etime=2012-10-20T0
0:00:00&param=src:DIRECTORY_GROUP:2&param=app:SRC_APP:16&param=dest:IP:172.16.4.52
View Inbound Activity

You can view all inbound activity to a server by desktop pool, security group, or AD group.
Parameter Values
query=sam
<paramname>
src
dest
app
requiredparameters=src,dest,app
<paramtype>
forappDEST_APP

Request:
GET
https://<nsxmgr_ip>/api/3.0//userdetails?query=sam&interval=60m&param=app:DEST_APP:1:EXCLUDE&par
am=dest:IP:1:EXCLUDE&param=src:SECURITY_GROUP:1:EXCLUDE
View Interaction between Inventory Containers

YoucanviewthetrafficpassingbetweendefinedconatinerssuchasADgroups,securitygroupsand/or
desktoppools.Thiscanhelpyouidentifyandconfigureaccesstosharedservicesandtoresolvemisconfigured
relationshipsbetweenInventorycontainerdefinitions,desktoppoolsandADgroups.
334
VMware, Inc.
Parameter Values
query=containers
<paramname>
src
dest
<paramtype>
fordestSECURITY_GROUP,DESKTOP_POOL

Request:
GET
https://<nsxmgr_ip>/api/3.0/ai/userdetails?query=containers&interval=60m&param=dest:SECURITY_GROUP:
1:EXCLUDE&param=src:SECURITY_GROUP:1
View Outbound AD Group Activity

YoucanviewthetrafficbetweenmembersofdefinedActiveDirectorygroupsandcanusethisdatatofine
tuneyourfirewallrules.
Parameter Values
query=adg
<paramname>
src
adg
requiredparameters=src
<paramtype>
adgUSER

Request:
GET
https://<nsxmgr_ip>/api/3.0/ai/userdetails?query=adg&interval=24h&param=adg:USER:1:INCLUDE&param=sr
c:SECURITY_GROUP:1:EXCLUDE
VMware, Inc.
335
View Virtual Machine Activity Report

Youcanviewtraffictoorfromavirtualmachineorasetofvirtualmachinesinyourenvironment.
Parameter Values
query=vma
<paramname>
src(foroutboundtraffic)
dest(forinboundtraffic)
appSRC_APP,DEST_APP
requiredparameters=none(ifnoparameterpassedthenthiswouldshowallSAMactivities)
<paramtype>
destVIRTUAL_MACHINE,VM_UUID
adgUSER
Example 12-15. View inbound vm activities to a VM id1 for a specific service used (app=16)
Request:
GET
https://<nsxmgr_ip>/api/3.0/ai/userdetails?query=vma&interval=60m&param=dest:VIRTUAL_MACHINE:1&p
aram=app:DEST_APP:16
ResponseBody:
<DataPage>
<pagingInfo>
</pagingInfo>
<aiActionRecord>
<application>JABBER</application>
<destHost>PMI-BL-X61$</destHost>
<destIP>172.16.4.21</destIP>
<id>0</id>
<srcContainer>HOKUIFLVPC</srcContainer>
</aiActionRecord>
<aiActionRecord>
<application>SLP</application>
<destHost>ENGG-LAPTOP-002$</destHost>
<id>0</id>
</aiActionRecord>
<aiActionRecord>
<application>KEYSERV</application>
<destHost>PMI00ELTON03$</destHost>
336
VMware, Inc.
<id>0</id>
</aiActionRecord>
<aiActionRecord>
<application>ACCOUNT_MGMT</application>
<destHost>PMIFEEXCH01$</destHost>
<id>0</id>
</aiActionRecord>
<aiActionRecord>
<application>PNA</application>
<destHost>IDC-DEV-1$</destHost>
<id>0</id>
</aiActionRecord>
</DataPage>
Query Discovered User Details

Thismethodretrievesthelistofalldiscoveredusers(bothbyagentintrospectionandLDAPSync)andtheir
detail.
Example 12-16. Retrieve user details
Retrieveuserdetailsforaspecificuser:
GET https://<nsxmgr_ip>/api/3.0/ai/user/<userID>
Retrieveappdetails:
GET https://<nsxmgr_ip>/api/3.0/ai/app
Retrieveapplicationdetailsforaspecificapplication:
GET https://<nsxmgr_ip>/api/3.0/ai/app/<appID>
Retrievelistofalldiscoveredhosts(bothbyagentintrospectionandLDAPSync)andtheirdetail:
GET https://<nsxmgr_ip>/api/3.0/ai/host
Retrievehostdetails:
GET https://<nsxmgr_ip>/api/3.0/ai/host/<hostID>
Retrievelistofalldiscovereddesktoppoolsbyagentintrospection:
GET https://<nsxmgr_ip>/api/3.0/ai/desktoppool
Retrievedetailsspecificdesktoppool:
GET https://<nsxmgr_ip>/api/3.0/ai/desktoppool/<desktoppoolID>
Retrievelistofalldiscoveredvirtualmachines:
GET https://<nsxmgr_ip>/api/3.0/ai/vm
Retrievedetailsaboutaspecificvirtualmachine:
GET https://<nsxmgr_ip>/api/3.0/ai/vm/<vmID>
Retrievelistofallthediscovered(andconfigured)LDAPdirectorygroups:
GET https://<nsxmgr_ip>/api/3.0/ai/directorygroup
Retrievedetailsaboutaspecificdirectorygroups:
GET https://<nsxmgr_ip>/api/3.0/ai/directorygroup/<directorygroupID>
VMware, Inc.
337
RetrievelistofADgroupsauserbelongsto:
GET https://<nsxmgr_ip>/api/3.0/ai/directorygroup/user/<userID>
Retrievelistofalltheobservedsecuritygroups.Observedentitiesaretheonesthatarereportedbytheagents.
Forex,ifahostactivityisreportedbyanagentandifthathostbelongstoasecuritygroupthenthatsecurity
groupwouldreportedasobservedinSAMdatabase:
GET https://<nsxmgr_ip>/api/3.0/ai/securitygroup
Retrievedetailsaboutspecificsecuritygroup:
GET https://<nsxmgr_ip>/api/3.0/ai/securitygroup/<securitygroupID>
Working with Domains

Afteryoucreateadomain,youcanapplyasecuritypolicytoitandrunqueriestoviewtheapplicationsand
virtualmachinesbeingaccessedbytheusersofadomain.
Register a Domain with NSX Manager

YoucanaregisteroneormoreWindowsdomainswithanNSXManagerandassociatedvCenterserver.
NSXManagergetsgroupanduserinformationaswellastherelationshipbetweenthemfromeachdomain
thatitisregisteredwith.NSXManageralsoretrievesActiveDirectorycredentials.
YoucanapplysecuritypoliciesonanActiveDirectorydomainandrunqueriestogetinformationonvirtual
machinesandapplicationsaccessedbyuserswithinanActiveDirectorydomain.
Example 12-17. Register or update domain
Request:
POST https://<nsxmgr_ip>/api/3.0/directory/updateDomain
RequestBody:
<DirectoryDomain>
<name>vs4.net</name>
<type>ActiveDirectory</type>
<netbiosName>VS4</netbiosName>
<username>Administrator</username>
<password>xxx</password>
</DirectoryDomain>
ResponseBody:
<DirectoryDomain>
<id>2</id>
<baseDn>DC=vs4,DC=net</baseDn>
</DirectoryDomain>
338
VMware, Inc.
Parameter Values for Register/Update Domain
Parameter Name
Description
Mandatory?
ID
Domainid.
Ifyouwanttocreateanewdomain,donotprovidethisvalue.Otherwise,systemwillfindan
existingdomainobjectbythisIDandupdateit.
true if
update
existing
domain
name
Domainname.
Thisshouldbedomainsfullqualifiedname.Incaseagentdiscovered,thiswillbeNetBIOS
name,soyouneedtoupdateittoFQNinordertosupportLDAPsyncandeventlogreader.
trueifcreatinga
newdomain
description
Domaindescription
false
type
Domaintype.
Validvalueinclude:AGENT_DISCOVERED,ActiveDirectory,SPECIAL
DoNOTmodifySPECIALdomain(wewillputguardlater).ForLDAPsyncandeventlog
readerwork,thisneedtobesenttoActiveDirectory.
trueifcreatinga
newdomain
netbiosName
NetBIOSnameofdomain.
ThisisDomainsNetBIOSname.Checkwindowsdomainsetting,forvalueofit.Normally
AgentreportdomainnameisNetBIOSname.ButconfirmfromWindowsdomainsetting.
false
baseDn
DomainsBaseDN(forLDAPsync).
BaseDNisREQUIREDforLDAPSync.Ifyouhaveadomainlike:w2k3.vshield.vmware.com,
thebaseDNisverylikelytobe:DC=w2k3,DC=vshield,DC=vmware,DC=com.Another
exampleis:domainnameis:vs4.net,thebaseDNshouldbe:DC=vs4,DC=net.Ifyoudont
knowwhatisthis,useaLDAPclientandconnecttodomaincontroller,thatwillgiveyou
domainsbaseDN.
false
rootDn
LDAPSyncrootDN.
SpecifywhereshouldLDAPsyncstartfromLDAPtree.Thiscouldbeabsolutepath,for
example:OU=Engineer,DC=vs4,DC=net,orrelativepath(relatetoBaseDN),forexample:
OU=Engineer.Dontusethiscolumninmostcases.
false
securityId
DomainsSecurityID(SID).
ThisshouldbefilledbyLDAPsyncprocess,justdontusethiscolumnunlessyouknowwhat
youaredoing.
false
username
DomainsUsername(UsedforLDAPSyncand/orEventLogreader)
false
password
Userpassword
false
eventLogUsernam
e
Domainseventlogreaderusername(willuseaboveusernameifthisisNULL)
false
eventLogPassword
Domainseventlogreaderpassword
false
Query Domains
Retrievesallagentdiscovered(orconfigured)LDAPdomains.
Example 12-18. Query domains
Request:
GET https://<nsxmgr_ip>/api/1.0/directory/listDomains
ResponseBody:
<DirectoryDomains>
<DirectoryDomain>
<id>2</id>
<baseDn>DC=vs4,DC=net</baseDn>
VMware, Inc.
339
</DirectoryDomain>
</DirectoryDomains>
Delete Domain
Deletesdomain.
Example 12-19. Delete domain
Request:
DELETE https://<nsxmgr_ip>/api/1.0/directory/deleteDomain/<Domain Id>
Working with LDAP Servers

Example 12-20. Create LDAP server
Request:
POST https://<nsxmgr_ip>/api/1.0/directory/updateLdapServer
RequestBody:
<LDAPServer>
<domainId>4</domainId>
</LDAPServer>
IftheResponseBodyisnot200 for OK,logintoyourNSXManagerandtrytopingthehostname.

Example 12-21. LDAP server calls
QueryLDAPserversforadomain:
GET https://<nsxmgr_ip>/api/1.0/directory/listLdapServersForDomain/<domain id>
StartLDAPfullsync:
PUT https://<nsxmgr_ip>/api/1.0/directory/fullSync/<domain id>
StartLDAPdeltasync:
PUT https://<nsxmgr_ip>/api/1.0/directory/deltaSync/<domain id>
DeleteLDAPserver:
DELETE https://<nsxmgr_ip>/api/1.0/directory/deleteLdapServer/<LdapServerID>
Working with EventLog Servers

Example 12-22. Create EventLog server
Request:
POST https://<nsxmgr_ip>/api/1.0/directory/updateEventLogServer
RequestBody:
<EventlogServer>
<id>1</id>
340
VMware, Inc.
<domainId>4</domainId>
</EventlogServer>
Example 12-23. EventLog server calls

QueryEventLogserversforadomain:
GET https://<nsxmgr_ip>/api/1.0/directory/listEventLogServersForDomain/<EventLogServer id>
DeleteEventLogserver:
DELETE https://<nsxmgr_ip>/api/1.0/directory/deleteEventLogServer/<EventLogServerID>
Working with Mapping Lists

Example 12-24. Query mapping lists
Queryusertoipmappinglistfromdatabase:
GET https://<nsxmgr_ip>/api/1.0/identity/userIpMapping
Queryhosttoipmappinglistfromdatabase:
GET https://<nsxmgr_ip>/api/1.0/identity/hostIpMapping
QuerysetofusersassociatedwithagivensetofIPaddressesduringaspecifiedtimeperiod.Sincemorethan
oneusercanbeassociatedwithasingleIPaddressduringthespecifiedtimeperiod,eachIPaddresscanbe
associatedwithzeroormore(i.eaSETof)users:
GET https://<nsxmgr_ip>/api/1.0/identity/ipToUserMapping
QuerysetofWindowsDomainGroups(ADGroups)towhichthespecifieduserbelongs:
GET https://<nsxmgr_ip>/api/1.0/identity/directoryGroupsForUser
CreatestaticuserIPmapping:
POST https://<nsxmgr_ip>/api/1.0/identity/staticUserMapping/<userID>/<IP>
QuerystaticuserIPmappinglist:
GET https://<nsxmgr_ip>/api/1.0/identity/staticUserMappings
QuerystaticuserIPmappingforspecifieduser:
GET https://<nsxmgr_ip>/api/1.0/identity/staticUserMappingsbyUser/<userID>
QuerystaticuserIPmappingforspecifiedIP:
GET https://<nsxmgr_ip>/api/1.0/identity/staticUserMappingsbyIP/<userID>
DeletestaticuserIPmappingforspecifieduser:
DELETE https://<nsxmgr_ip>/api/1.0/identity/staticUserMappingsbyUser/<userID>
DeletestaticuserIPmappingforspecifiedIP:
DELETE https://<nsxmgr_ip>/api/1.0/identity/staticUserMappingsbyIP/<userID>
Working with Activity Monitoring Syslog Support

Example 12-25. Enable Activity Monitoring syslog support
Request:
VMware, Inc.
341
POST https://<vsm_ip>/api/1.0/sam/syslog/enable
Example 12-26. Disable Activity Monitoring syslog support

Request:
POST https://<vsm_ip>/api/1.0/sam/syslog/disable
342
VMware, Inc.
13
Task Framework Management
13
TheNSXManagerrequirescommunicationwithyourvCenterServerandservicessuchasDNSandNTPto
providedetailsonyourVMwareInfrastructureinventory.
AboutTaskFrameworkonpage 343
QueryJobInstancesforJobIDonpage 344
QueryLatestJobInstancesforJobIDonpage 345
BlockRESTThreadonpage 345
QueryJobInstancesbyCriteriononpage 345
IMPORTANTAllRESTrequestsrequireauthentication.SeeUsingtheNSXRESTAPIonpage 25fordetails
aboutbasicauthorization.
About Task Framework

Thetaskframeworkprovidestheabstractionneededtoexecuteasynchronoustasksusingaglobalthreadpool.
AJobisidentifiedbyaJobID.Ajobhasasetoftaskswithinit.Thesetasksareexecutedeithersynchronously
orinparallelbasedontheirdependencieswithothertasksintheJob.TheJobistheprimaryinterfaceto
interactwiththeTaskFrameworktogetthedetailsofthejobandthetaskswithinit.Thiscouldbethestatus
ofthejob,thestatusofthetaskswithinit,etc.
WhenaJobisscheduledforexecution,itisputintoaqueuedstate.Thisistrueforajobthathastoexecute
immediatelyorajobthatisscheduledforlaterexecution.
Atthescheduledtimewhenthetaskrunsitisputintoexecutingstate.Oncethetaskfinishesitsexecution,it
isconsideredascompleted.Thetaskframeworkthenqueriesthetasktocheckiftheexecutionwassuccessful
ornot.Basedonthisstatus,thetaskismarkedascompletedorfailed.Ifthetaskissuccessful,thenexttaskin
theJobisexecuted.Ifthetaskfails,theappropriatefaultpolicyactionistaken.
Thefaultpolicyspecifiesthetypeofactiontobetakenasoneofthefollowing:
Retry:Frameworkattemptstoretrythetask.Jobdata/datapopulatedduringtheearlierrunissupplied
tothetaskbeforeexecution.
Rollback:Frameworkrollsbackthetask.
RollbackRetry:Frameworkrollsbackthetaskandretriesit.
Abort:Frameworkabortsthetask(andtheJob).
Ignore:Frameworkignoresthefailure/timeoutandproceedswithexecutionofsubsequenttasks,ifany,
inthejob.
VMware, Inc.
343
Everytaskcandefineatimeoutvaluewhichindicatesthemaximumesitmatedtimeforthetasktocomplete.
Beyondthistime,thetaskisconsideredtohavetimedoutandanappropriatefaultpolicyactionistakenon
thetask.Thetaskframeworkmonitorstheexecutingtasksatperiodicintervalsoftimetocheckwhetherthey
havetimedout.Ifthefaultpolicyindicatesthataretryhastobedoneincaseofatimeout,thetaskframework
retriesthetask.
Query Job Instances for Job ID

RetrievesalljobinstancesforthespecifiedjobID.Ifajobisaonetimejob,asinglejobinstanceisreturned.If
ajobisarecurringjob,allinstancesforthegivenjobIDarereturned.
Example 13-1. Query job instances
RequestBody:
GET https://<nsxmgr-ip>/api/2.0/services/taskservice/job/<jobID>
ResponseBody:
<jobInstances>
<jobInstance>
<id>jobinstance-1</id>
<name>SVM Updater</name>
<taskInstances>
<taskInstance>
<id>taskinstance-1</id>
<startTimeMillis>1375867719752</startTimeMillis>
<endTimeMillis>1375867720025</endTimeMillis>
<taskStatus>COMPLETED</taskStatus>
<timeoutRetryCount>0</timeoutRetryCount>
<failureRetryCount>0</failureRetryCount>
<taskOutput />
<taskData />
</taskInstance>
</taskInstances>
<startTimeMillis>1375867719663</startTimeMillis>
<endTimeMillis>1375867720050</endTimeMillis>
<timeoutRetryCount>0</timeoutRetryCount>
<failureRetryCount>0</failureRetryCount>
<job>
<id>jobdata-1</id>
<description>Updating all sdd SVMs at startup.</description>
<creationTimeMillis>1375867718710</creationTimeMillis>
<nextExecutionTimeMillis>0</nextExecutionTimeMillis>
<taskList>
<task>
<id>task-1</id>
<description>Updating all sdd SVMs at startup.
</description>
<failurePolicy>
<faultAction>RETRY</faultAction>
<retryLimit>30</retryLimit>
<retryInterval>60000</retryInterval>
</failurePolicy>
<timeoutPolicy>
<faultAction>IGNORE</faultAction>
<retryLimit>0</retryLimit>
<retryInterval>-1</retryInterval>
</timeoutPolicy>
<timeoutMillis>-1</timeoutMillis>
<visible>false</visible>
344
VMware, Inc.
Chapter 13 Task Framework Management
<systemTask>true</systemTask>
<taskClass>com.vmware.vshield.dlp.service.impl.DlpServiceImpl$1
</taskClass>
<creationTimeMillis>1375867718729
</creationTimeMillis>
<nextExecutionTime>0</nextExecutionTime>
</task>
</taskList>
<jobOwner>Unknown</jobOwner>
<scope>/globalroot-0</scope>
</job>
<jobOutput />
</jobInstance>
</jobInstances>
Query Latest Job Instances for Job ID

Incaseofcronjobsorfixeddelayjobs,therecanbemultiplejobinstancesforthesamejobdependingupon
thenumberoftimesthejobwasexecuted.Thiscallfetchesthelatestjobinstanceforagivenjobid.
RequestBody:
ResponseBody:
SeeExample 131
Block REST Thread

ThisisablockingcallwhereaservicehasscheduledajobandaRESTthreadneedstobeblockedtillthejob
getscompleted.Ifthejobwasalreadycompleted,thenthejobinstanceisreturnedimmediately.Ifthejobis
stillexecutingthentheRESTthreadisblockedandreturnsafterthejobcompletes.
RequestBody:
ResponseBody:
SeeExample 131.
Query Job Instances by Criterion

Youcanspecifyfilteringcriteriaandpaginginformationandquerythetaskframework.
Example 13-4. Query job instances by criterion
RequestBody:
GET
https://<nsxmgr-ip>/api/2.0/services/taskservice/job/startIndex=<0>&pageSize=<10>&sortBy=startTime&sortOr
derAscending=false|true
ResponseBody:
VMware, Inc.
345
SeeExample 131.
346
VMware, Inc.
14
Object IDs
14
ThissectiondescribeshowtoretrievetheIDsfortheobjectsinyourvirtualinventory.
QueryDatacenterMOIDonpage 347
QueryDatacenterIDonpage 347
QueryHostIDonpage 347authentication
QueryPortgroupIDonpage 348
QueryVMIDonpage 348
Query Datacenter MOID

1
Clickcontent.
ThedatacenterMOIDisdisplayedontopofthewindow.
Query Datacenter ID
1
Clickcontent.
ThedatacentervalueisthedatacenterID.
Query Host ID
1
VMware, Inc.
347
Clickcontent.
Thehost valueisthehostID.
Query Portgroup ID
1
Clickcontent.
Clickonthehost value.
ThenetworkpropertyvalueistheportgroupID.
Query VMID
TheVMIDislistedunderhoststructure.
348
VMware, Inc.
15
vShield Endpoint Management
15
UsingthesewithnewerNSX6.0basedsolutionscouldresultinlossoffeatures.
ThemanagementAPIlistedinthischapteraretobeusedonlywithvShieldPartnersolutionsthatweredevelopedwithEPSecPartnerProgram3.0orearlier(forvShield5.5orearlier).ThesepartnersolutionsarealsosupportedonNSX6.0andneedtheAPIslistedbelow.TheseAPIshouldnotbeusedwithpartnersolutionsdevelopedspecificallyforNSX6.0orlater,asthesenewersolutionsautomatetheregistrationanddeploymentprocessbyusingthenewfeaturesintroducedinNSX.
AvShieldEndpointappliancedeliversanintrospectionbasedantivirussolutionthatusesthehypervisorto
scanguestvirtualmachinesfromtheoutsidewithonlyathinagentoneachguestvirtualmachine.
OverviewofSolutionRegistrationonpage 349
RegisteringaSolutionwithvShieldEndpointServiceonpage 350
QueryingRegistrationStatusofvShieldEndpointonpage 351
QueryingActivatedSecurityVirtualMachinesforaSolutiononpage 352
UnregisteringaSolutionwithvShieldEndpointonpage 353
StatusCodesandErrorSchemaonpage 354
IMPORTANTAllvShieldRESTrequestsrequireauthentication.SeeUsingtheNSXRESTAPIonpage 25for
Overview of Solution Registration

ToregisterathirdpartysolutionwithvShieldEndpoint,clientscanusefourRESTcallstodothefollowing:
1
Registerthevendor.
Registeroneormoresolutions.
SetthesolutionIPaddressandport(forallhosts).
Activateregisteredsolutionsperhost.
NOTESteps1through3needtobeperformedoncepersolution,whilestep4needstobeperformedforeach
host.
Tounregisterasolution,clientsessentiallyperformthesestepsinreverse:
5
Deactivatesolutionsperhost.
UnsetasolutionsIPaddressandport.
Unregistersolutions.
Unregisterthevendor.
Toupdateregistrationinformationforavendororsolution,clientsmustfirstunregisterthatentityandthen
reregister.ThefollowingsectionsdetailthespecificRESTcallstoperformregistrationandunregistration.
VMware, Inc.
349
Registering a Solution with vShield Endpoint Service

TheAPIsdescribedinthissectionregisteravendor,solutions,setnetworkaddress,andactivatesolutions.
Foralistofreturnstatuscodes,seeReturnStatusCodesonpage 354.
Register a Vendor
Youcanregisterthevendorofanantivirussolution.
Example 15-1. Register a vendor
Request:
POST https://<nsxmgr-ip>/api/2.0/endpointsecurity/registration
RequestBody:
<VendorInfo>
<id>vendor_id</id>
<title>vendor_title</title>
<description>vendor_description</description>
</VendorInfo>
Intherequestbody,vendor_idistheVMwareassignedIDforthevendor,whilevendor_titleand
vendor_descriptionarevendorprovidedstrings.
Register a Solution
Youcanregisteranantivirussolution.
Example 15-2. Register a solution
Request:
POST https://<nsxmgr-ip>/api/2.0/endpointsecurity/registration/<vendor_id>
RequestBody:
<SolutionInfo>
<altitude>solution_altitude</altitude>
<title>solution_title</title>
<description>solution_description</description>
</SolutionInfo>
Intherequest,<vendor_id>isthepreviouslyregisteredIDforthevendor.
Intherequestbody,solution_altitudeistheVMwareassignedaltitudeforthesolution,solution_titleand
solution_descriptionarevendorprovidedstrings.SeeAltitudeofaSolutiononpage 350.
Altitude of a Solution
AltitudeisanumberthatVMwareassignstouniquelyidentifythesolution.Thealtitudedescribesthetypeof
solutionandtheorderinwhichthesolutionreceiveseventsrelativetoothersolutionsonthesamehost.
IP Address and Port for a Solution

YoucansetasolutionsIPaddressandportonthevNIChost.
Example 15-3. Set IP address and port
Request:
POST https://<nsxmgr-ip>/api/2.0/endpointsecurity/registration/<vendor_id>/<altitude>/location
350
VMware, Inc.
Chapter 15 vShield Endpoint Management
RequestBody:
<LocationInfo>
<ip>solution_ip_address</ip>
<port>solution_port</port>
</LocationInfo>
Intherequest,<vendor_id>isthepreviouslyregisteredIDforthevendor,and<altitude>forthealtitude.
Intherequestbody,solution_ip_addressisthesolutionsIPv4addressforthevNICthatisconnectedtothe
VMkernelportgroup(forexample,169.254.1.31).ThisaddressmustbewithintherangeofVMwareassigned
IPaddressesforthesolution.Thesolution_portistheportonwhichthesolutionacceptsconnections.
Ifyouwanttochangethelocationofasolution,deactivateallsecurityvirtualmachines,changethelocation,
andthenreactivateallsecurityvirtualmachines.
Activate a Solution
Youcanactivateasolutionthathasbeenregisteredandlocated.
Example 15-4. Activate solution
Request:
POST https://<nsxmgr-ip>/api/2.0/endpointsecurity/activation/<vendor_id>/<altitude>
RequestBody:
<ActivationInfo>
<moid>svm_moid</moid>
</ActivationInfo>
Intherequest,<vendor_id>isthepreviouslyregisteredIDforthevendor,and<altitude>forthealtitude.
Intherequestbody,svm_moidisthemanagedobjectIDoftheactivatedsolutionsvirtualmachine.
Querying Registration Status of vShield Endpoint

YoucanusethesameURLsshownintheprevioussectionwiththeGETmethodtoretrievevendorregistration
information,solutionregistrationinformation,locationinformation,andsolutionactivationstatus.
Get Vendor Registration

Youcanretrievevendorregistrationinformation.
Example 15-5. Get list of all registered vendors
Request:
GET https://<nsxmgr-ip>/api/2.0/endpointsecurity/registration/vendors
Example 15-6. Get vendor registration information

Request:
GET https://<nsxmgr-ip>/api/2.0/endpointsecurity/registration/<vendor_id>
Get Solution Registration

Youcanretrievesolutionregistrationinformation.
VMware, Inc.
351
Example 15-7. Get all registered solutions for a vendor

Request:
GET https://<nsxmgr-ip>/api/2.0/endpointsecurity/registration/<vendor_id>/solutions
Example 15-8. Get solution registration information

Request:
GET https://<nsxmgr-ip>/api/2.0/endpointsecurity/registration/<vendor_id>/<altitude>
Get IP Address of a Solution

ThiscallretrievestheIPaddressandportassociatedwithasolution.
Example 15-9. Get IP address and port of a solution
Request:
GET https://<nsxmgr-ip>/api/2.0/endpointsecurity/registration/<vendor_id>/<altitude>/location
Get Activation Status of a Solution

Thiscallretrievessolutionactivationstatus,giventhemanagedobjectreference<moid>ofitsvirtualmachine.
Example 15-10. Get activation status of a solution
Request:
GET https://<nsxmgr-ip>/api/2.0/endpointsecurity/activation/<vendor_id>/<altitude>/<moid>
Statuscanbefalse(notactivated)ortrue(activated).
Querying Activated Security Virtual Machines for a Solution

Youcanretrievealistofactivatedsecurityvirtualmachinesforasolution,aswellastheactivationinformation
forallactivatedsecurityvirtualmachinesonahost.
Query Activated Security Virtual Machines

Youcanretrievealistofactivatedsecurityvirtualmachinesforthespecifiedsolution.
Example 15-11. Get activated security virtual machines
Request:
GET https://<nsxmgr-ip>/api/2.0/endpointsecurity/activation/<vendor_id>/<solution_id>
ResponseBody:
<ActivatedSVMs>
<ActivationInfo>
<moid>vm-819</moid>
<hostMoid>host-9</hostMoid>
<vmName>VMWARE-Data Security-10.24.130.174</vmName>
<clusterName>Dev</clusterName>
<dcName>dev</dcName>
<vendorId>VMWARE</vendorId>
352
VMware, Inc.
<solutionId>6341068275337723904</solutionId>
</ActivationInfo>
...
</ActivatedSVMs>
Intherequest,vendor_idistheVMwareassignedIDforthevendor,whilesolution_idisthesolutionID.
Query Activation Information

Youcanretrieveactivationinformationforallactivatedsecurityvirtualmachinesonthespecifiedhost.
Example 15-12. Get activation information
Request:
GET https://<nsxmgr-ip>/api/2.0/endpointsecurity/activation?hostId=<hostID>
ResponseBody:
<ActivatedSVMs>
<ActivationInfo>
<moid>vm-819</moid>
<hostMoid>host-9</hostMoid>
<vmName>VMWARE-Data Security-10.24.130.174</vmName>
<clusterName>Dev</clusterName>
<dcName>dev</dcName>
<vendorId>VMWARE</vendorId>
<solutionId>6341068275337723904</solutionId>
</ActivationInfo>
...
</ActivatedSVMs>
Unregistering a Solution with vShield Endpoint

YoucanusethesameURIsshowninthefirstsectionwiththeDELETEmethodtounregisteravendor,
unregisterasolution,unsetlocationinformation,ordeactivateasolution.
Unregister a Vendor
Thiscallunregistersavendor.
Example 15-13. Unregister a vendor
Request:
DELETE https://<nsxmgr-ip>/api/2.0/endpointsecurity/registration/<vendor_id>
Unregister a Solution
Thiscallunregistersasolution.
Example 15-14. Unregister a vendor
Request:
DELETE https://<nsxmgr-ip>/api/2.0/endpointsecurity/registration/<vendor_id>/<altitude>
VMware, Inc.
353
Unset IP Address
ThiscallunsetsasolutionsIPaddressandport.
Example 15-15. Unset IP address and port
Request:
DELETE https://<nsxmgr-ip>/api/2.0/endpointsecurity/registration/<vendor_id>/<altitude>/location
Deactivate a Solution
Thiscalldeactivatesasolutiononahost.
Example 15-16. Deactivate a solution
Request:
DELETE https://<nsxmgr-ip>/api/2.0/endpointsecurity/activation/<vendor_id>/<altitude>/<moid>
Status Codes and Error Schema

ThissectionlistsvariousstatuscodesreturnedfromtheRESTAPI,andshowstheerrorschema.
Return Status Codes

The200codesindicatesuccess,the400codesindicatesomefailure,andthe600codesarecallspecific.
354
200OKoperationsuccessful
201Created:Entitysuccessfullyaltered.
400BadRequest:Internalerrorcodes.PleaserefertotheErrorSchemaformoredetails.
401Unauthorized:Incorrectusernameorpassword.
600UnrecognizedvendorID.
601Vendorisalreadyregistered.
602Unrecognizedaltitude.
603Solutionisalreadyregistered.
604InvalidIPv4address.
605Invalidport.
606Portoutofrange.
607Unrecognizedmoid.
608Locationinformationisalreadyset.
609Locationnotset.
612Solutionsstillregistered.
613Solutionlocationinformationstillset.
614Solutionstillactivated.
615Solutionnotactivated.
616Solutionisalreadyactivated.
617IP:Portalreadyinuse.
618BadsolutionID.
619vShieldEndpointisnotlicensed.
620Internalerror.
VMware, Inc.
Error Schema
HereistheXMLschemaforvShieldEndpointregistrationerrors.
<?xml version="1.0" encoding="UTF-8"?><xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified">
<xs:element name="Error">
<xs:complexType>
<xs:sequence>
<xs:element name="code" type="xs:unsignedInt"/>
<xs:element name="description" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
VMware, Inc.
355
356
VMware, Inc.
16AppendixB:
Deprecated APIs
16
ThefollowingAPIshavebeendeprecatedintheNSX6.0release.
Table 16-1. Deprecated APIs
Deprecated API
Alternate API(s)
Local user management

/api/2.0/global/heartbeat
/api/1.0/appliance-management/global/info
/api/2.0/global/config
/api/2.0/services/vcconfig
/api/2.0/services/ssoconfig
/api/1.0/appliance-management/system/network/dns
/api/1.0/appliance-management/system/timesettings
/api/2.0/global/vcInfo
/api/2.0/services/vcconfig
/api/2.0/global/techsupportlogs
/api/1.0/appliance-management/techsupportlogs/NSX
/api/2.0/vdn/map/cluster/clusterID
/api/2.0/services/usermgmt/securityprofile
VMware, Inc.
357
358
VMware, Inc.
Appendix A: Schemas
TheRESTAPIconfigurationofthevShieldEdgeandvShieldAppvirtualmachinessupportsschemasfor
installationandservicemanagement.
Thisappendixcoversthefollowingtopics:
FirewallSchemasonpage 359
Deprecated:vShieldManagerGlobalConfigurationSchemaonpage 361
Deprecated:ESXHostPreparationandUninstallationSchemaonpage 366
Deprecated:vShieldAppSchemasonpage 367
ErrorMessageSchemaonpage 373
Firewall Schemas
Firewall Configuration Schema
VMware, Inc.
359
Firewall Section Schema
360
VMware, Inc.
Appendix A: Schemas
Firewall Sections Schema
Deprecated: vShield Manager Global Configuration Schema

ThefollowingschemashowsvShieldManagerRESTconfiguration.
Thisreplacesthe1.0APIschemaitemsforvCentersynchronization,DNSservice,virtualmachine
information,andsecuritygroups.
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
targetNamespace="vmware.vshield.edge.2.0"
xmlns:vse="vmware.vshield.edge.2.0"
elementFormDefault="qualified">
<xs:element name="nsxmgrGlobalConfig">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" name="vshieldEdgeReleaseInfo" type="vse:ReleaseInfoType"/> 
<xs:element minOccurs="0" name="vcInfo" type="vse:VcInfoType" />
<xs:element minOccurs="0" name="hostInfo" type="vse:HostInfoType" />
<xs:element minOccurs="0" name="techSupportLogsTarFilePath" type="xs:string"/>
<xs:element minOccurs="0" name="auditLogs" type="vse:AuditLogsType" />
<xs:element minOccurs="0" name="dnsInfo" type="vse:DnsInfoType" />
<xs:element minOccurs="0" name="versionInfo" type="xs:string" /> 
<xs:element minOccurs="0" name="vpnLicensed" type="xs:boolean" /> 
<xs:element minOccurs="0" name="ipsecVpnTunnels" type="vse:IpsecVpnTunnels" /> 
<xs:element minOccurs="0" maxOccurs="1" name="nsxmgrCapability" type="vse:nsxmgrCapabilityType"/>

<xs:element minOccurs="0" maxOccurs="1" name="timeInfo" type="vse:TimeInfoType"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:complexType name="ReleaseInfoType">

<xs:sequence>
<xs:element name="buildNumber" type="xs:NMTOKEN" /> 
VMware, Inc.
361
<xs:element minOccurs ="0" name="vseLocationOnnsxmgr" type="xs:string" />

</xs:sequence>
</xs:complexType>
<xs:complexType name="SSOInfoType">
<xs:sequence>
<xs:element minOccurs="0" name="nsxmgrSolutionName">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:minLength value="1"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="lookupServiceUrl">
<xs:simpleType>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="ssoAdminUserName">
<xs:simpleType>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="ssoAdminPassword">
<xs:simpleType>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element minOccurs="0" name="certificateThumbprint">
<xs:simpleType>
<xs:pattern
value="[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0
-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F09]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}"></xs:patt
ern>
</xs:restriction>
</xs:simpleType>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="VcInfoType">
<xs:sequence>
<xs:element name="ipAddress">
<xs:simpleType>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="userName">
<xs:simpleType>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="password">
<xs:simpleType>
362
VMware, Inc.
Appendix A: Schemas
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element minOccurs="0" name="token">
<xs:simpleType>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element minOccurs="0" name="certificateThumbprint">
<xs:simpleType>
<xs:pattern value="[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{
2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0
-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}:[a-fA-F0-9]{2}"></xs:pattern>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element minOccurs="0" name="pluginDownloadServer">
<xs:simpleType>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element minOccurs="0" name="pluginDownloadPort">
<xs:simpleType>
</xs:restriction>
</xs:simpleType>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="HostInfoType">
<xs:sequence>
<xs:element name="hostId" type="xs:string" />
<xs:element name="ipAddress" type="xs:string" />
<xs:element name="userName" type="xs:string" />
<xs:element name="password" type="xs:string" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="SecurityGroups">
<xs:choice>
<xs:element name="securityGroup" type="vse:SecurityGroup" maxOccurs="unbounded" />
<xs:element name="securityGroupIdList" type="vse:SecurityGroupIdList" />
</xs:choice>
</xs:complexType>
<xs:complexType name="SecurityGroup">
<xs:sequence>
<xs:element name="securityGroupBaseNode" type="xs:string"/>
<xs:element name="securityGroupName" type="xs:string"/>
<xs:element name="securityGroupId" type="xs:string" minOccurs="0" />
<xs:element name="securityGroupNodeList" type="vse:NodeList" minOccurs="0"/>
<xs:element name="securityGroupIpList" type="vse:IpList" minOccurs="0" />
</xs:sequence>
</xs:complexType >
<xs:complexType name="SecurityGroupIdList">
<xs:sequence>
<xs:element name="securityGroupId" type="xs:string" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
VMware, Inc.
363
<xs:complexType name="IpList">
<xs:sequence>
<xs:element name="ip" type="xs:string" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="NodeList">
<xs:sequence>
<xs:element name="node" type="vse:SecurityGroupNode" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="SecurityGroupNode">
<xs:sequence>
<xs:element name="id" type="xs:string" />
<xs:element name="name" type="xs:string" minOccurs="0" />
<xs:element name="ipList" type="vse:IpList" minOccurs="0" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="VnicsType">
<xs:sequence>
<xs:element name="vnic" type="vse:VnicType" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="VnicType">
<xs:sequence>
<xs:element name="name" type="xs:string" />
<xs:element name="ipList" type="vse:IpList" minOccurs="0" maxOccurs="1"/>

</xs:sequence>
</xs:complexType>
<xs:complexType name="AuditLogsType">
<xs:sequence>
<xs:element name="auditLog" type="vse:AuditLogType" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="DnsInfoType">
<xs:sequence>
<xs:element name="primaryDns" type="xs:string"/>
<xs:element minOccurs="0" name="secondaryDns" type="xs:string"/>
<xs:element minOccurs="0" name="tertiaryDns" type="xs:string"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="AuditLogType">
<xs:sequence>
<xs:element name="userName" type="xs:string" />
<xs:element name="accessInterface" type="xs:string" />
<xs:element name="module" type="xs:string" />
<xs:element name="operation" type="xs:string" />
<xs:element name="status" type="xs:string" />
<xs:element name="operationSpan" type="xs:string" />
<xs:element name="resource" type="xs:string" />
<xs:element name="timestamp" type="xs:string" />
<xs:element name="notes" type="xs:string" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="IpsecVpnTunnels">
<xs:sequence>
364
VMware, Inc.
Appendix A: Schemas
<xs:element name="lastEventId" type="xs:unsignedInt" />

<xs:element minOccurs="0" maxOccurs="unbounded" name="ipsecVpnTunnelStatusList"
type="vse:IpsecVpnTunnelStatus" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="IpsecVpnTunnelStatus">
<xs:sequence>
<xs:element name="networkId" type="xs:string" />
<xs:element name="ipsecVpnTunnelConfig" type="vse:IpsecVpnTunnelConfigType" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="IpsecVpnTunnelConfigType"> 
<xs:sequence>
<xs:element name="peerName">
<xs:simpleType>
<xs:maxLength value="256"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="peerId" type="xs:string" />
<xs:element name="peerIpAddress" type="xs:string" />
<xs:element maxOccurs="64" name="localSubnet" type="xs:string" /> 
<xs:element maxOccurs="64" name="peerSubnet" type="xs:string" /> 
<xs:element name="authenticationMode" >
<xs:simpleType>
<xs:pattern value="((psk)|(x.509))"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element minOccurs="0" name="preSharedKey" type="xs:string" />
<xs:element minOccurs="0" name="encryptionAlgorithm" type="xs:string" />
<xs:element minOccurs="0" name="mtu" type="xs:unsignedInt" />
<xs:element minOccurs="0" name="status" type="xs:string" />
<xs:element minOccurs="0" name="stateChangeReason" type="xs:string" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="nsxmgrCapabilityType">
<xs:sequence>
<xs:element name="ipsecVpnCapability" type="xs:boolean"/>
<xs:element name="webLoadBalancerCapability" type="xs:boolean"/>
<xs:element name="natCapability" type="xs:boolean"/>
<xs:element name="firewallCapability" type="xs:boolean"/>
<xs:element name="dhcpCapability" type="xs:boolean"/>
<xs:element name="staticRoutingCapability" type="xs:boolean"/>
<xs:element name="nsxmgrVersion" type="xs:string"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="TimeInfoType">
<xs:sequence>
<xs:element minOccurs="0" name="clock" type="xs:string"/>
<xs:element minOccurs="0" name="ntpServer" type="xs:string"/>
<xs:element minOccurs="0" name="zone" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:schema>
VMware, Inc.
365
Deprecated: ESX Host Preparation and Uninstallation Schema

ThisschemacanbeusedtoinstalloruninstallvShieldAppandvShieldEndpointservicesonanESXhost.
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified">
<xs:element name="VshieldConfiguration">
<xs:complexType>
<xs:all>
<xs:element minOccurs="0" name="VszInstallParams" type="VszInstallParams"/>
<xs:element minOccurs="0" name="EpsecInstallParams" type="xs:boolean"/>
<xs:element name="InstallAction" type="InstallAction"/> 
<xs:element name="InstallStatus" type="InstallStatus"/> 
</xs:all>
</xs:complexType>
</xs:element>
<xs:complexType name="InstallStatus">
<xs:sequence>
<xs:element minOccurs="0" name="ProgressState" type="xs:string"/>
<xs:element minOccurs="0" name="ProgressSubState" type="xs:string"/>
<xs:element minOccurs="0" name="InstalledServices" type="InstalledServices"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="InstalledServices">
<xs:sequence>
<xs:element name="VszInstalled" type="xs:boolean"/>
<xs:element name="EpsecInstalled" type="xs:boolean"/>
</xs:sequence>
</xs:complexType>

<xs:complexType name="VszInstallParams">
<xs:sequence>
<xs:element name="DatastoreId" type="Moid"/>
<xs:element name="ManagementPortSwitchId" type="xs:string"/> 
<xs:element name="MgmtInterface" type="MgmtInterfaceType"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="MgmtInterfaceType">
<xs:sequence>
<xs:element name="IpAddress" type="IP"/>
<xs:element name="NetworkMask" type="IP"/>
<xs:element name="DefaultGw" type="IP"/>
</xs:sequence>
</xs:complexType>
<xs:simpleType name="InstallAction">
<xs:enumeration value="install"/>
<xs:enumeration value="upgrade"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="IP">
<xs:pattern value=
"((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])
"/>
</xs:restriction>
</xs:simpleType>
366
VMware, Inc.
Appendix A: Schemas
<xs:simpleType name="Moid">
<xs:pattern value="[a-zA-Z0-9\-]+"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
Deprecated: vShield App Schemas

ThefollowingschemasdetailvShieldAppconfigurationviaRESTAPI.
vShield App Configuration Schema

ThisschemaconfiguresavShieldAppafterinstallation.
<xs:element name="ZonesConfiguration">
<xs:complexType>
<xs:all>
<xs:element name="VszInstallParams" type="VszInstallParams" minOccurs="0"/>
</xs:all>
</xs:complexType>
</xs:element>

<xs:complexType name="VszInstallParamsType">
<xs:sequence>
<xs:element name="NodeId" type="xs:string"/>
<xs:element name="DatacenterId" type="xs:string"/>
<xs:element name="DatastoreId" type="xs:string"/>
<xs:element name="NameForZones" type="xs:string"/>
<xs:element name="VswitchForMgmt" type="xs:string"/>
<xs:element name="MgmtInterface" type="InterfaceType"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="InterfaceType">
<xs:sequence>
<xs:element name="IpAddress" type="xs:NMTOKEN"/>
<xs:element name="NetworkMask" type="xs:NMTOKEN"/>
<xs:element name="DefaultGw" type="xs:NMTOKEN"/>
<xs:element minOccurs="0" name="VlanTag" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:schema>
vShield App Firewall Schema

ThisschemaconfiguresthefirewallrulesenforcedbyavShieldApp.
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" >
<xs:element name="VshieldAppConfiguration">
<xs:complexType>
<xs:choice>
<xs:element name="firewallConfiguration" type="FirewallConfigurationDto" />
<xs:element name="firewallConfigurationHistoryList" type="FirewallConfigHistoryInfoListDto" />
<xs:element name="consolidatedConfiguration" type="FirewallConfigurationDto" maxOccurs="unbounded" />
<xs:element name="status" type="StatusDto" />
<xs:element name="datacenterState" type="DatacenterStateDto" />
<xs:element name="protocolsList" type="ProtocolListDto" />
<xs:element name="protocolTypes" type="ProtocolsTypeEnum" maxOccurs="4" />
VMware, Inc.
367
</xs:choice>
</xs:complexType>
</xs:element>
<xs:complexType name="FirewallConfigHistoryInfoListDto">
<xs:sequence>
<xs:element name="contextId" type="xs:string" />
<xs:element name="firewallConfigHistoryInfo" type="FirewallConfigHistoryInfoDto"maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="FirewallConfigHistoryInfoDto">
<xs:sequence>
<xs:element name="configId" type="xs:long" />
<xs:element name="userId" type="xs:string" />
<xs:element name="timestamp" type="xs:long" />
<xs:element name="status" type="xs:string" minOccurs="0" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="DatacenterStateDto">
<xs:sequence>
<xs:element name="datacenterId" type="xs:string" />
<xs:element name="userId" type="xs:string" minOccurs="0" />
<xs:element name="timestamp" type="xs:long" minOccurs="0" />
<xs:element name="status" type="DatacenterStatusEnum" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="StatusDto">
<xs:sequence>
<xs:element name="currentState" type="ConfigStateEnum" />
<xs:element name="failedPublishInfo" type="FailedPublishInfoDto" maxOccurs="unbounded" minOccurs="0" />
</xs:sequence>
<xs:attribute name="contextId" type="xs:string" use="required" />
<xs:attribute name="generationNumber" type="xs:long" />
</xs:complexType>
<xs:complexType name="FailedPublishInfoDto">
<xs:sequence>
<xs:element name="applianceIp" type="xs:string" />
<xs:element name="timestamp" type="xs:long" />
<xs:element name="errorDescription" type="xs:string" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="FirewallConfigurationDto">
<xs:sequence>
<xs:element name="layer3FirewallRule" type="Layer3FirewallRuleDto" maxOccurs="unbounded" minOccurs="0"
/>
<xs:element name="layer2FirewallRule" type="Layer2FirewallRuleDto" maxOccurs="unbounded" minOccurs="0"
/>
</xs:sequence>
<xs:attribute name="provisioned" type="xs:boolean" use="optional" />
<xs:attribute name="contextId" type="xs:string" use="required" />
<xs:attribute name="timestamp" type="xs:long" use="optional" />
<xs:attribute name="generationNumber" type="xs:long" use="optional" />
</xs:complexType>
<xs:complexType name="ApplicationDto">
<xs:choice>
<xs:element name="applicationSetId" type="xs:string" />
</xs:choice>
</xs:complexType>
<xs:complexType name="DestinationDto" abstract="true">
<xs:sequence>
<xs:element name="address" type="AddressDto" minOccurs="0" />
368
VMware, Inc.
Appendix A: Schemas


</xs:sequence>
</xs:complexType>
<xs:complexType name="Layer2DestinationDto">
<xs:complexContent>
<xs:extension base="DestinationDto">
</xs:extension>
<xs:element name="application" type="ApplicationDto" minOccurs="0" />
</xs:complexContent>
</xs:complexType>
<xs:complexType name="Layer3DestinationDto">
<xs:sequence>
<xs:element name="application" type="ApplicationDto" minOccurs="0" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="Layer3SourceAddressDto">
<xs:sequence>
<xs:element name="portInfo" type="xs:string" minOccurs="0" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="FirewallRuleDto" abstract="true">
<xs:sequence>
<xs:element name="action" type="ActionEnum" />
<xs:element name="logged" type="xs:boolean" />
<xs:element name="notes" type="xs:string" minOccurs="0" />
</xs:sequence>
<xs:attribute name="id" type="xs:long" use="required" />
<xs:attribute name="precedence" type="PrecedenceEnum" use="optional" />
<xs:attribute name="disabled" type="xs:boolean" use="optional" />
</xs:complexType>
<xs:complexType name="Layer2FirewallRuleDto">
<xs:complexContent>
<xs:extension base="FirewallRuleDto">
<xs:sequence>
<xs:element name="source" type="AddressDto" minOccurs="0" />
<xs:element name="destination" type="Layer2DestinationDto" />
</xs:sequence>
</xs:extension>
</xs:complexType>
<xs:complexType name="Layer3FirewallRuleDto">
<xs:complexContent>
<xs:extension base="FirewallRuleDto">
<xs:sequence>
<xs:element name="source" type="Layer3SourceAddressDto" minOccurs="0" />
<xs:element name="destination" type="Layer3DestinationDto" minOccurs="0" />
</xs:sequence>
</xs:extension>
</xs:complexType>
<xs:complexType name="AddressDto">
<xs:choice>
<xs:element name="containerId" type="xs:string" minOccurs="0">
</xs:element>
</xs:choice>
<xs:attribute name="exclude" type="xs:boolean" use="optional" default="false" />
</xs:complexType>
VMware, Inc.
369
<xs:simpleType name="ActionEnum">
<xs:restriction base="xs:NCName">
<xs:enumeration value="allow" />
<xs:enumeration value="deny" />
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="PrecedenceEnum">
<xs:enumeration value="default" />
<xs:enumeration value="none" />
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="ConfigStateEnum">

<xs:enumeration value="published" />
<xs:enumeration value="inprogress" />
<xs:enumeration value="publishFailed" />
<xs:enumeration value="Deleted" />
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="DatacenterStatusEnum">
<xs:enumeration value="upgrading" />
<xs:enumeration value="backwardCompatible" />
<xs:enumeration value="backwardCompatibleReadyForSwitch" />
<xs:enumeration value="migrating" />
<xs:enumeration value="regular" />
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="ProtocolsTypeEnum">
<xs:enumeration value="application" />
<xs:enumeration value="ipv4" />
<xs:enumeration value="icmp" />
<xs:enumeration value="ethernet" />
</xs:restriction>
</xs:simpleType>
</xs:schema>
vShield App SpoofGuard Schema

ThefollowingschemadetailsSpoofGuardconfiguration.
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"elementFormDefault="qualified">
<xs:complexType>
<xs:choice>
<xs:element name="globalSettings" type="GlobalSettingsDto" />
<xs:element name="ipAssignmentStatistic" type="IpAssignmentStatisticDto" />
<xs:element name="vnicIdList" type="VnicIdListDto" />
<xs:element name="ipAssignmentDetailsList" type="IpAssignmentDetailsListDto" />
<xs:element name="pagedIpAssignmentDetailsList" type="PagedIpAssignmentDetailsListDto" />
<xs:element name="approveIpInfo" type="VnicInfoDto" />
</xs:choice>
</xs:complexType>
</xs:element>
<xs:complexType name="PagedIpAssignmentDetailsListDto">
<xs:sequence>
370
VMware, Inc.
Appendix A: Schemas
<xs:element name="ipAssignmentDetails" type="IpAssignmentDetailsDto" maxOccurs="unbounded" />

<xs:element name="pagingDetails" type="PagingInfoDto" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="PagingInfoDto">
<xs:sequence>
<xs:element name="pageSize" type="xs:int" />
<xs:element name="startIndex" type="xs:int" />
<xs:element name="totalCount" type="xs:int" />
<xs:element name="sortOrderAscending" type="xs:boolean" />
<xs:element name="sortBy" type="PagingSortByEnum" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="IpAssignmentDetailsListDto">
<xs:sequence>
<xs:element name="ipAssignmentDetails" type="IpAssignmentDetailsDto"maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="IpAssignmentDetailsDto">
<xs:sequence>
<xs:element name="vnicId" type="xs:string" />
<xs:element name="macAddress" type="xs:string" />
<xs:element name="vnicName" type="xs:string" />
<xs:element name="networkId" type="xs:string" />
<xs:element name="vmId" type="xs:string" />
<xs:element name="vmName" type="xs:string" />
<xs:element name="approvedIpAddress" type="xs:string" />
<xs:element name="approvedBy" type="xs:string" />
<xs:element name="approvedOn" type="xs:long" />
<xs:element name="publishedIpAddress" type="xs:string" />
<xs:element name="publishedBy" type="xs:string" />
<xs:element name="publishedOn" type="xs:long" />
<xs:element name="reviewRequired" type="xs:boolean" />
<xs:element name="duplicateCount" type="xs:int" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="IpAssignmentStatisticDto">
<xs:sequence>
<xs:element name="contextId" type="xs:string" />
<xs:element name="inSync" type="xs:boolean" />
<xs:element name="activeCount" type="xs:long" />
<xs:element name="inactiveCount" type="xs:long" />
<xs:element name="activeSinceLastPublishedCount" type="xs:long" />
<xs:element name="requireReviewCount" type="xs:long" />
<xs:element name="duplicateCount" type="xs:long" />
<xs:element name="unpublishedCount" type="xs:long" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="VnicIdListDto">
<xs:sequence>
<xs:element name="vnicId" type="xs:string" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="VnicInfoDto">
<xs:sequence>
<xs:element name="vnicId" type="xs:string" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="GlobalSettingsDto">
VMware, Inc.
371
<xs:sequence>
<xs:element name="status" type="OperationStatusEnum" />
<xs:element name="mode" type="OperationModeEnum" />

<xs:element name="timestamp" type="xs:long" minOccurs="0" />
<xs:element name="publishedBy" type="xs:string" minOccurs="0" />
</xs:sequence>
</xs:complexType>
<xs:simpleType name="OperationStatusEnum">
<xs:enumeration value="enabled" />
<xs:enumeration value="disabled" />
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="OperationModeEnum">
<xs:enumeration value="trustOnFirstUse" />
<xs:enumeration value="manual" />
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="PagingSortByEnum">
<xs:enumeration value="VM_NAME" />
<xs:enumeration value="MAC" />
<xs:enumeration value="APPROVED_IP" />
<xs:enumeration value="CURRENT_IP" />
</xs:restriction>
</xs:simpleType>
</xs:schema>
vShield App Namespace Schema

Thefollowingschemadetailsnamespaceconfiguration.
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="vmware.vshield.global.20.namespace"
xmlns:vsns="vmware.vshield.global.20.namespace" elementFormDefault="qualified">
<xs:complexType>
<xs:choice>
<xs:element maxOccurs="unbounded" name="namespace" type="vsns:NamespaceDto" />
<xs:element maxOccurs="3" name="namespacesType" type="vsns:NamespacesTypeEnum" />
</xs:choice>
</xs:complexType>
</xs:element>
<xs:complexType name="NamespaceDto">
<xs:sequence>
<xs:element minOccurs="0" maxOccurs="unbounded" name="namespacePortGroup" type="vsns:PortGroupDto" />
</xs:sequence>
<xs:attribute name="type" use="required" type="vsns:NamespacesTypeEnum" />
<xs:attribute name="id" use="optional" type="xs:long" />
</xs:complexType>
<xs:complexType name="PortGroupDto">
<xs:sequence>
<xs:element maxOccurs="1" name="Id" type="xs:string" />
</xs:sequence>
</xs:complexType>
<xs:simpleType name="NamespacesTypeEnum">
<xs:enumeration value="DEFAULT" />
372
VMware, Inc.
Appendix A: Schemas
<xs:enumeration value="PORTGROUP" />

<xs:enumeration value="NONE" />
</xs:restriction>
</xs:simpleType>
</xs:schema>Retrieved from "https://wiki.eng.vmware.com/NS_DEV/vShieldManager/nsxmgr30/App/ipad/xsd"
Error Message Schema

Thisschemadetailserrormessages.
<xs:element name="Errors">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Error" type="ErrorType"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:complexType name="ErrorType">
<xs:sequence>
<xs:element name="code" type="xs:unsignedInt"/>
<xs:element name="description" type="xs:string"/>
<xs:element minOccurs="0" name="detailedDescription" type="xs:string"/>
<xs:element minOccurs="0" name="index" type="xs:int"/>
<xs:element minOccurs="0" name="resource" type="xs:NMTOKEN"/>
<xs:element minOccurs="0" name="requestId" type="xs:NMTOKEN"/>
<xs:element minOccurs="0" name="module" type="xs:NMTOKEN"/>
</xs:sequence>
</xs:complexType>
</xs:schema>
IfaRESTAPIcallresultsinanerror,theHTTPreplycontainsthefollowinginformation.
AnXMLerrordocumentastheresponsebody
ContentType:application/xml
Anappropriate2xx,4xx,or5xxHTTPstatuscode
Table 17-1. Error Message Status Codes

Code
Description
200 OK
Therequestwasvalidandhasbeencompleted.Generally,thisresponseisaccompanied
byabodydocument(XML).
201 Created
Therequestwascompletedandnewresourcewascreated.TheLocationheaderofthe
responsecontainstheURIofnewlycreatedresource.
204 No Content
Sameas200 OK,buttheresponsebodyisempty(NoXML).
400 Bad Request
Therequestbodycontainsaninvalidrepresentationortherepresentationoftheentityis
missinginformation.TheresponseisaccompaniedbyErrorObject(XML).
401 Unauthorized
Anauthorizationheaderwasexpected.RequestwithinvalidornovShieldManager
Token.
403 Forbidden
Theuserdoesnothaveenoughprivilegestoaccesstheresource.
404 Not Found
Theresourcewasnotfound.TheresponseisaccompaniedbyErrorObject(XML).
500 Internal Server Error
Unexpectederrorwiththeserver.TheresponseisaccompaniedbyErrorObject(XML).
503 Service Unavailable
Cannotproceedwiththerequest,becausesomeoftheservicesareunavailable.Example:
vShieldEdgeisUnreachable.TheresponseisaccompaniedbyErrorObject(XML).
VMware, Inc.
373
374
VMware, Inc.

NSX 604 Api

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

NSX 604 Api

Hochgeladen von

Copyright:

Verfügbare Formate

NSX API Guide

NSX 6.0.4 for vSphere

This document supports the version of each product listed and

NSX API Guide

vShield API Programming Guide

vShield API Programming Guide

vShield API Programming Guide

vShield API Programming Guide

vShield API Programming Guide

vShield API Programming Guide

vShield API Programming Guide

vShield API Programming Guide

About This Book

VMware Technical Publications Glossary

Technical Support and Education Resources

Online and Telephone Support

vShield API Programming Guide

VMware Professional Services

vShield API Programming Guide

Logical Virtual Private Networks (VPN)s

Logical Load Balancer

Chapter 1 Overview of NSX

vShield API Programming Guide

An Introduction to REST API for NSX Users

How REST Works

About the REST API

Chapter 1 Overview of NSX

RESTful Workflow Patterns

For More Information About REST

Using the NSX REST API

To use the REST API in Chrome

vShield API Programming Guide

To use the REST API in curl

Ports Required for NSX REST API

Configuring SSO on NSX Manager

vShield API Programming Guide

Query SSO Details

Query SSO Configuration Status

Delete SSO Configuration

Get Information About a User

Chapter 2 User Management

Enable or Disable a User Account

Remove Role Assignment

Example 2-8. Delete a user role

vShield API Programming Guide

Get Role for a User

Get Role for a NSX Manager User

Chapter 2 User Management

Add Role and Resources for a User

Change User Role

vShield API Programming Guide

Get List of Possible Roles

Get List of Scoping Objects

Chapter 2 User Management

Delete User Role

vShield API Programming Guide

Managing the NSX Manager

Upgrading the Appliance Manager

Upload Upgrade Bundle

Query Upgrade Information

vShield API Programming Guide

Example 3-2. Query upgrade information

Chapter 3 Managing the NSX Manager Appliance